The Role and Responsibility of the External Auditor towards the Cloud Computing (An Empirical Study)
Prepared by
Hxxx Hxxxxxx Mxxxxxx
1.Chapter one: General Framework
1.1 Introduction and Background
The cloud computing represents one of the challenges, which faces both accountants and auditors since some organizations have changed to adopt cloud computing. The cloud computing has been dramatically increased in the last few years. It also represents a new type of business economic patterns at the global level, in the information age, and advanced modern technology in this time where borders disappear and entr’acte geography, and changed the concept of the determinants of capital. With cloud computing has become imperative for the economic units that seek to strengthen its competitive position to adapt the electronic environment, by changing its accounting system radically or gradually and focusing on the so-called electronic accounting. After the emerge of new technologies in the business world as an extension of the electronic environment and development as one of the most important challenges in front of the new accounting and auditing. The modern revolution in Information Technology (IT) has become the backbone of cloud computing. With the development of E-Business (EB) activities, it becomes the perfect computer and communications networks to run, based on its strong dependence on computer systems, holds a huge threat to the control ineffective. Inappropriate use may result in disastrous consequences, and the existence of computer viruses and hackers, computer crimes, and so have led to the risk of cloud computing information distortion.
The traditional accounting information system is limited by many factors including the inadequate preparation of hardware facilities, lack of professional, high initial investment costs, complex maintenance process, which restricts the development process accounting information of some companies and greatly weakens the enterprise’s competitiveness. In recent years, cloud accounting has received high attention for its low-cost, high-efficiency mode of accounting information technology in the industry. Cloud accounting is virtualized accounting information system providing accounting services for the enterprise based on the Internet. Its conception can be explained from two aspects. For cloud accounting supplier, cloud accounting is an accounting information system by cloud computing technology, and suppliers need to provide hardware and software facilities and the construction of accounting information systems. For businesses, cloud accounting is based on the Internet, so if you want to use online accounting information system, you need to pay for it. Construction of cloud accounting is currently a hot issue in the industry and academic, and it has an absolute advantage in terms of cost, efficiency, reliability, etc. ( Zhang Cancan,2014).
Cloud operating model is currently a hot topic in the world of cloud accounting. Accounting cloud, which “Online Accounting,” They say like bookkeeping works users are installed on your computer, except that the soft cloud accounting software on the servers’ provider online services “, is applicable to any number of users and companies and organizations can use their web browser, on internet access it. This means that you as a user company or organization, each time an Internet connection are able to access their company’s finances from anywhere and any device you’re using. Accounting firms and organizations through cloud users online accounting software applications, “presented Software services “in the cloud have access, in fact, the use of accounting software in a similar model (Software As a Service) provider of online services to buy. They for software, hardware or network not pay, but computing power and software services needed to purchase (Webopedia. com, 2013). With this interpretation, if accounting professionals to conclude cloud computing, outsourcing in the old drink new bottles and many have gone astray. Cloud-like business process outsourcing, such as the purchase of one or more than one offer outsourcing service organization. A key difference in what the buyer is usually a process of outsourcing work is defined as the average salary in what is cloud computing infrastructure and services purchased fan some or all of the information that may be done not rely on it. Basically the information technology infrastructure in all areas of business including accounting firms under effects. It seems logical that here the necessity of using cloud computing in accounting too.
Small businesses are the biggest beneficiaries of online cloud accounting and there are numerous ways in which moving to the cloud can be of value. Working in the cloud will give you the opportunity to reduce the amount of time you spend on difficult working, time-consuming tasks, allowing you to concentrate on what you do best: growing your business. You can also be confident that you will have greater access to real-time data for your business ‘ no matter where you are ‘ as business information is accessible any time, any place, on any device that has internet access (much like internet banking).
Information, knowledge and increase the emergence of big data is undoubtedly key for growth and success for businesses (Srikumar, 2013). The emergence of cloud computing and its growing impact on business, in general, is gaining traction around the world. Mortar companies such as Google and Salesforce.com reflect the model of cloud computing through sharing web infrastructure in terms of data storage, scalability, and computation (Kambil, 2009). In many ways, the role complements the invaluable role of ICT that has been increasingly emerging with a growing impact since the early 1980s, which then took a major boost with the proliferation of the Internet and the World Wide Web a decade later. According to Abeer Gamal, who works for one of the leading business associations in Egypt dealing mainly with SMEs: ‘ICT is the driver of the organization and especially SMEs; it keeps us competitive compared to our peers.’ On a more macro scale and at the global front, according to Gartner research, the cloud computing global market reached 150 billion US dollars in 2013 (Gartner, 2013). Moreover, according to a Boston Consulting Group study (2013) ‘technology adopter firms have increased their annual revenues 15% faster than firms with lower levels of technology adoption.’ In other words, cloud computing is a model for enabling on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned with minimal management effort (NIST, 2011).
Larger companies adopt cloud computing and they understand the potential and know how to utilize it to its full effect.
However, Benefits for the company:
1. Real-time to the project team, management and the audit committee with respect to control design and implementation.
2. Allow management to respond more timely to project and control issues.
3. Feedback relative to the use of more effective and cost-efficient automated application controls.
4. Identify risks which could jeopardize project timeliness or objectives.
5. Provides feedback to management and the audit committee on other matters which may come to our attention.
Benefits for the Audit:
1. In-depth understanding of the impacts of internal control over financial reporting.
1. Early identification of potential audit and control related issues and reduces the chances of surprise.
2. Identification automated controls helping to improve control testing effectiveness and efficiency.
3. Information about the integrity of underlying financial data.
4. Updated audit documentation relative changes in IT, new process and new controls to help facilitate effective audit planning, walk-through and control testing (KPMG,2012 ).
There are four different cloud deployment models including public, community, private and hybrid cloud environments. For example, SaaS usually operates within the public model whereas it is available to everyone with an Internet connection such as salesforce.com serving business-to-business (B2B) companies. Salesforce.com focuses on managing customer details and running sales campaigns; a typical customer relationship management (CRM) platform will be defined later (Sherif Kamel, Mariam Abouseif, 2015).
In Egypt, Cloud computing is the methodology that helps organizations to provide the maximum amount of IT efficiency and makes it possible to store, manage and analyze information in the world with its steady growth. It reflects a new consumption, supplement, and delivery model for IT services. It offers the computing processing power, storage, network bandwidth, software usage, software development, testing, security, identity as services over the Internet. The Ministry of Communications and Information Technology (MCIT) addresses Cloud Computing, Data Centers, Integrated Solutions, and Web 2.0 as top priorities in the international ICT agenda.
Towards this end, many agreements have been signed with foreign authorities in Germany, Malaysia, and Singapore for the purpose of sharing their expertise in terms of preparing Egyptian calibers to join this new industry.
Cloud computing offers tremendous cost-effectiveness by providing a ‘pay per use’ model and ensures professional management of the infrastructure. It is fair to say that this model is bound to change the fa”ade of IT usage across the world in the immediate near future.
It is expanding and becoming a popular solution among businesses worldwide when it presented efficient and optimistic results Increased revenues, expanding businesses, and new job creation, not limited to the information technology sector, are all possible through the extensive use of cloud computing (MCIT.com,2016).
National Telecom Regulatory Authority (NTRA) Communications addresses the four telecommunications companies in preparation to launch fourth-generation licenses, according to statements made by; the Minister of Communications and Information Technology Yasser judge The minister said that “before the end of the month of May 2016 will be the completion of the licenses to begin offering, the device has already called for the three companies (Vodafone, Orange and Telecom Egypt) to buy licenses”. Fourth-generation will allow users to deal with the Internet at high speeds, for example, will be able to deal with cloud computing.
1.2 Characteristics of cloud computing
Cloud computing services have characteristics which distinguish them from other technologies:
As a rule, cloud computing users do not own the IT resources they use, the servers they exploit being hosted in external data centers.
Services are provided via the pay ‘ per- use model or subscription model.
The resources and services provided to the client are often virtual and shared among several users.
The services are provided via the internet.
With these characteristics, cloud computing technology is a new solution giving users the option to access software and IT resources with the desired flexibility and modularity and at very competitive prices (Maaref, S.,2012).
1.3 Description of the main cloud computing services
Cloud computing comprises five types of services:
Infrastructure as a Service (IaaS ): Virtualized on-demand server, virtualized data center, flexible on-demand storage space, flexible local networks (LANs ), firewalls, security services, etc.
Platform as a service (PaaS ): platform for cloud computing services provision ( customer service management, billing, etc.)
Software as a Service (SaaS ): business applications, customer relations, and support (CRM), HR, finance (ERP ), online payments, electronic marketplace ( for very small and small and medium-sized enterprises), etc.
communication as a Service ( CaaS ): audio/ video communication services, collaborative services, unified communications, e-m ail, instant messaging, data sharing (web conference ).
A network as a Service (NAAS ): managed internet (guaranteed speed, availability, etc.), virtualized network (VPNs) coupled with cloud computing services, flexible and on-demand bandwidth (Maaref, S.,2012).
1.4 Legal framework of cloud computing
Governance in cloud computing mode
Comparison between the cloud computing and conventional “hosted applications” modes.
Comparison between the cloud computing and “licensed software” modes.
Interoperability and reversibility in cloud computing (Maaref,S. ,2012).
1.5 Research problem and Questions
The main problem can be represented as follows: What is the impact of cloud computing on the external auditors work? This can be summarized in the following points:
What is the methodology used by the external auditor towards the cloud computing to ensure the quality of the process?
What are the requirements needed by the external auditor in Egypt to face new risks associated with practice of cloud computing?
Is the external auditor in Egypt able to audit financial statements data’s for cloud computing process, and face its challenges in light of his current skills?
1.6 Research Objectives
The major reason and main objective behind choosing this topic is to define the role and responsibility of the external auditor towards the cloud computing. Identify the requirements and characteristics of cloud computing, Describe the approaches of E-Auditing that dealing with information systems. It led us to know the obstacles that stand in the face of cloud computing in Egypt.
Sub-Objectives:
How transactions are recorded on cloud computing?
The major risk facing cloud computing Accounting and Auditing.
Are external auditors in Egypt qualified and well trained to do this type of audit?
1.7 Research Hypotheses
The empirical study will be conducted through a self-developed questionnaire distributed among the external auditors (CPA Firms, Bank, and university stuff). The survey will be conducted based on a quantitative perspective. This study aimed to examine the role and responsibility of the external auditor towards the cloud computing activity. In order to assess the validity of the hypotheses in this research, the researcher has a different set of hypotheses to be used, as follows:
“H” _”\0\1″ There is a relationship between cloud computing activity and current skills, knowledge and qualification of Egyptian auditors in Egypt.
“H” _”\0\2″ There are impacts of cloud computing on the audit report.
“H” _”\0\3″ There are impacts of cloud computing on the risks of the audit process in Egypt.
“H” _”\04″ Cloud computing requires sufficient qualifications for auditors in the use of new technological tools used in the field of accounting.
1.8 Research Methodology
1.8.1 Theoretical study
This research will focus on two corners; the first corner for accounting and how the transactions are recorded in approved documents. The second corner will focus on studying the role and responsibility of the external auditors and its impact of cloud computing on the external auditor’s work. The third corner is studying cloud computing, in general, to understand how it operates. Therefore, the aims of the theoretical study are:
Identify the requirements and characteristics of cloud computing.
To explore whether the external auditors are able to make an audit planning, audit process, and audit report.
Identify the impacts of cloud computing on the risks of the audit process in Egypt.
1.8.2 Empirical Study
The Empirical study will start where the theoretical part left off, it will be conducted through self-developed questionnaire among the companies. It tackled the factors that were recognized through the theoretical section. The survey will be conducted based on a quantitative perspective. The factors will test to realize the level on which the role and responsibility of the external auditors are influenced by these factors. The study objective is to examine if the different factors have a direct effect on the level of responsibility of the external auditor. The different factors’ effects will analyze using SPSS program using statistical techniques such as multiple regression and means analysis.
The samples will focus on accountants working in cloud computing, external auditors within the auditing firms in Egypt and companies working with cloud computing.
1.9 Research Structure
The thesis structure is divided into five main chapters as follows:
The first chapter is the General framework introduction.
The second chapter discusses the role of accountants their problems, evidence, major risk facing accountants and tax.
The third chapter discusses the auditors’ background, role, responsibilities and challenges.
The fourth chapter discusses the cloud computing Background, Types, Security and Risks.
The fifth chapter discusses the empirical study’s finding, results and
conclusion of the whole thesis paper.
1.10 Literature Review
1) Bisong, A., & Rahman, M. (2011). An overview of the security concerns in enterprise cloud computing:
Objectives: In this paper, they have discussed security risks and concerns in cloud computing and enlightened steps that an enterprise can take to reduce security risks and protect their resources. The authors have also explained cloud computing strengths/benefits, weaknesses, and applicable areas in information risk management. This paper discussed the cloud computing security concerns and the security risk associated with enterprise cloud computing including its threats, risk and vulnerability.
Findings: Cloud computing is a combination of several key technologies that have evolved and matured over the years. Cloud computing has a potential for cost savings to the enterprises but the security risk is also enormous.
Enterprise looking into cloud computing technology as a way to cut down on cost and increase profitability should seriously analyze the security risk of cloud computing.
The strength of cloud computing in information risk management is the ability to manage risk more effectively from a centralized point. Security updates and new patches can be applied more effectively thereby allowing business continuity in an event of a security hole. Cloud computing weakness include the list of issues such as the security and privacy of business data being hosted in remote 3rd party data centers, being lock-in to a platform, reliability/performance concerns, and the fears of making the wrong decision before the industry begins to mature.
Enterprise should verify and understand cloud security, carefully analyze the security issues involved and plan for ways to resolve it before implementing the technology. Pilot projects should be setup and good governance should be put in place to effectively deal with security issues and concerns. Authors believe the move into the cloud computing should be planned and it should be gradual over a period of time.
Comments: This paper discussed the overview of security concerns in enterprise cloud computing while they did not explore the risk that will face the auditors and external cloud computing.
2) P.Krubhala and K.SaravanaKumar (2013), Dynamic auditing and accounting mechanism for policy based data access in cloud:
Objectives: Cloud computing is advancement in the field of information technology. The terminology cloud computing can be illustrated as the pay-as-you-use model in which this framework includes collection task where they are assigned to the clients who need it. Without the features of the internet, it’s impossible to provide a cloud environment. Lots of gains can be achieved through the cloud such as scalability, availability, flexible, lots of storage space, low cost and so on.
Although it embraces these benefits the major venture of cloud technology is that security and confidential of data stored and shared within or between the third party environment. In order to overcome this problem, the audit ability scheme can be endowed where this methodology supports to check the integrity of the data being stored and allows for the user data privacy. Further, the authors’ work also proposes the accounting mechanism for metering the resource usages where the system encloses user data along with their policies. The result of accounting mechanism is the generation of the log record.
Finding: The assurance cloud security is achieved by imposing both the auditing and accounting features. These are the major two features considered to solve the security-related issues in the cloud. Finally, they achieved the monitoring process in the cloud environment by proposing an efficient accounting mechanism which generates the log record as the result of the accounting function. In addition to that, it increases the level of security by allowing the data owners to specify their service level agreements which are the contract between the service providers and users to maintain their data secure. To improve the level of security the proposed work also allows verifying the integrity of the cloud storage. This can be achieved on the basis of allowing a third party auditor to audit the data and also it supports for the batch auditing and dynamic modification of the data in the cloud.
Comments: The authors propose the accounting mechanism for metering the resource usages where the system encloses user data along with their policies. The result of accounting mechanism is the generation of the log record while this thesis continues to record sufficient evidence documents to be audited.
3) Trivedi, H. (2013). Cloud Adoption Model for Governments and Large Enterprises: Submitted to the Mit Sloan School of management in partial fulfillment of the requirement for the degree of Master of Science in management studies at the Massachusetts institute of technology:
Objectives: it’s summarized in How should the government, public sector or a large enterprise go about adopting cloud? Is there a particular path to be followed? Are certain steps necessary to cloud adoption process? Do certain characteristics define organizations in the process of cloud adoption? Should certain competencies be developed for a successful move to the cloud? How do different organizations at different stages of cloud adoption look different from each other? Are there any examples to refer to? The objective of this thesis is to answer these questions by studying in depth large enterprises and governments which are either thinking of moving to the cloud or have taken steps to adopting cloud, identify any emerging patterns, explore drivers of cloud computing, and craft a model for cloud computing adoption.
Finding: Cloud is known as different things to different audiences but agencies such as NIST have cleared the mist to some degree. As organizations across the public sector and private sectors understand what cloud means for them, they are looking to act and deploy cloud solutions. Some organizations, studied as part of this thesis, have made significant progress in their journey to cloud and others are just about starting. These organizations offer tenable insights into what makes for a successful cloud program and the required competencies. Certain themes such as application rationalization and modernization, standardization, centralized governance (IT Monarchy / Business Monarchy or IT Monarchy / Federal Combinations), and change management have revealed themselves as common threads. The journeys specifically have been marked by proof of concepts, technology selection, infrastructure service, and platform service as milestones. The organizations at different stages of cloud adoption exhibit different characteristics and possess distinct competencies, and organizations should not bite more than they can chew, lest their programs fall flat. Furthermore, what might constitute a success for one organization might turn out to be a not so successful initiative for another organization as evidenced by virtual desktop. Last but not the least, cloud programs require competencies that organizations have tried to master for many decades now but what makes them different in the context of cloud are the scale i.e., cloud programs touch every piece of hardware, development platform, and enterprise software application in an organization and will potentially run for at least a decade for a large organization.
Comments and areas of further study: The thesis has attempted to explore in detail cloud adoption examples from a wide cross-section of organizations, raise questions and answer them. But many key questions still remain and these can be further areas of study. The Cloud Adoption Model discussed in this study is based on private cloud deployments. Increasingly organizations are looking at hybrid deployment models comprising private and public clouds. Further study can be done to understand cloud adoption in a hybrid scenario. The model equates the context of governments and large enterprises. The generalization has enabled the formulation of a model but ignored any specific procurement and adoption patterns. The model can be studied further to identify differences between adoption for governments and large enterprises. All of the organizations studied are in the process of adopting cloud. It shall be worthwhile to investigate those organizations where cloud program was executed but the results were not as per expectations. This shall test the tenets of the proposed adoption model and also suggest modifications. Cloud by its nature converts ostensible vertical silos into horizontal discs expected to perform different functions. Will such a horizontal, based on common standards, of verticals enable flexibility or impede it in the future when businesses change? As organizations leap into the future by executing cloud programs, they are also rooted in the past through a landscape of legacy applications, many of them business critical. Cloud programs offer the opportunity to rationalize and modernize those applications but to what extent should organizations returned legacy applications? How can organizations optimally manage their legacy and cloud platforms? Last but not the least; is it likely in any scenario for an organization to move back from cloud platform to a non-cloud platform? What could be the reasons behind such a move and how will it impact the platform strategy of future?
4)Brender, N., and Markov, I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies:
Objectives: In today’s economic turmoil, the pay-per-use pricing model of cloud computing, its flexibility and scalability and the potential for better security and availability levels are alluring to both SMEs and large enterprises. However, cloud computing is fraught with security risks which need to be carefully evaluated before any engagement in this area. This article elaborates on the most important risks inherent to the cloud such as information security, regulatory compliance, data location, investigative support and provider lock-in and disaster recovery. The researchers focus on risk and control analysis in relation to a sample of Swiss companies with regard to their prospective adoption of public cloud services. The researchers observe a sufficient degree of risk awareness with a focus on those risks that are relevant to the IT function to be migrated to the cloud. Moreover, the recommendations as to the adoption of cloud services depend on the company’s size with larger and more technologically advanced companies being better prepared for the cloud. As an exploratory first step, the results of this study would allow to design and implement broader research into cloud computing risk management in Switzerland.
Finding: Cloud computing presents some important risks which should be assessed by any enterprise considering engagement in this area. The main contribution consists of an empirical study of a sample of Swiss companies which aimed at analyzing the understanding of the risks that public cloud services present and how they can be managed. Even though the sample size is very limited, Authors can see sufficient awareness of both the risks and the management solutions. The authors of the reports have consulted the large volume of literature pertaining to cloud computing risks with some of the reports referring to the Swiss regulatory context as well. There is also a degree of originality in the reports as they have considered the risks in the specific context of the concerned companies and according to their needs and capabilities.
As authors could see, the detail and focus of the reports correspond to the particularity of the IT function to be migrated to the cloud. Therefore the reports were not just mere recounts of existing literature but show business awareness and planning capabilities. As far as the final recommendations of whether to go on the cloud are concerned, authors found that they depend on the company’s size, technological expertise, and corporate culture but not on the criticality of the process or sensitivity of the data to be migrated. The flexibility and cost-efficiency of the cloud should be more attractive to Small and Medium-sized enterprises (SMEs) as compared to large companies. On the other hand, there may still be a certain level of mistrust in SMEs regarding the cloud as they lack sufficient expertise and risk management skills. Indeed, the reports suggest that large companies are better prepared for the adoption of cloud services. Nevertheless, as this paper has shown, understanding, assessment, and mitigation of the risks are vital when it comes to cloud computing. Once these steps have been properly addressed, where necessary with the help of external advice, the cloud may not look like such a dangerous place even for SMEs.
Comments: they stress again on the limited nature of the study whose purpose was to serve as an introductory exploration of the risk analysis with regard to prospective adoption of cloud services. These findings cannot be extrapolated to all Swiss companies also this thesis will be applied on Egyptian companies and CPAs firms, but allow to devise a stricter and more rigorous methodology for further studies based on interviews, questionnaires or quantitative surveys.
5) Zhang, C. (2014).Challenges and Strategies of Promoting Cloud Accounting:
Objectives: Cloud accounting, as a new mode of accounting information model, plays an important role in enterprise accounting informationization process. Compared with the traditional accounting informationization system, cloud accounting boasts the advantage of low investment cost, low maintenance costs, low barriers to entry, while as the continuous development of cloud accounting, relevant problems raise one from another such as poor security, unique services. To solve these problems in order to promote the popularization and application of cloud accounting in enterprise requires the joint efforts of enterprises, suppliers and government.
Finding: cloud accounting as a new accounting online accounting service has its unique advantages, but it also faces many challenges in the application process. Cloud accounting suppliers should consider how to improve the security, functionality and public recognition of cloud accounting services, contributing to sound and healthy development of cloud accounting services, and allowing more companies to accept and adopt cloud accounting services. With the gradual improvement of accounting services cloud model, the large enterprises, multinational organizations will adopt this model to make cloud accounting develop and popularize faster in future so as to facilitate the process of accounting information technology.
6) Abd Al-kaderkalaf,O., and Ayyed.,E. (2015).IT Auditing to Assure a Secure Cloud Computing for Enterprise Applications
Objectives: Following are summarized objectives of the study :
To present and study the detailed framework of the cloud computing for enterprise applications.
To design and implement the large database based enterprise application for the cloud computing environment.
To implement the IT auditing mechanism for the security purpose.
Finding: In this research project, they are discussing over the cloud computing paradigm evolvement for the large business applications like CRM as well as introducing the new framework for the secure cloud computing using the method of IT auditing. In this case, the approach is basically directed towards the establishment of the cloud computing framework for the customer relationship management (CRM) applications with the use of checklists by following the data flow of the CRM application and its lifecycle. Those checklists are prepared on the basis of models of cloud computing such as deployment models and services models. With this project, the main concern is to present the cloud computing implications through the large database enterprise CRM application and achieving the desired level of security with design and implementation of IT auditing technique. They claim that with this proposed methods for the CRM applications, they will provide the security, regulations, and compliance of such cloud computing environments.
7) Kamel, S. , Abouseif, M. ( 2015) . A Study of the Role and Impact of Cloud Computing on Small and Medium Size Enterprises (SMEs) in Egypt:
Objectives: This paper aimed to analyze the business potential of offering cloud computing services to small and medium-sized enterprises (SMEs) in Egypt. It addressed the challenges that need to be tackled to maximize the utilization of cloud computing services and the role and prospects to be played by SMEs in transforming the economy in Egypt. SMEs are invaluable to fuel economic development and growth as well as creating employment opportunities in emerging economies especially in markets like Egypt with a massive youth opportunity represented by the current population demographics and projected growth ratios. The combination of youth, technology and the emergence of an entrepreneurial culture could represent the successful and much-needed ingredients for an ideal platform to support socioeconomic development moving forward. Several previous studies indicated a clear correlation between the proper adoption, diffusion, and adaptation of information and communication technology (ICT) and the development and growth of revenues and jobs among startups due to the prospects of emerging technologies that can categorically empower SMEs. In the world of cloud computing, ICT can help SMEs leverage an already existing and growing interconnected global community of consumers, businesses, industries, and markets of unprecedented and still growing size.
This study highlighted some of the facts and developments in the space of SMEs and the emerging role ICT is playing in the entrepreneurial ecosystem with a focus on cloud computing deployment and the associated challenges, opportunities and underlying potential in the context of an emerging economy, Egypt. The research methodology deployed in the study is primarily based on qualitative data generated through a series of one-to-one semi-structured interviews with different representatives of various stakeholders.
Finding: This research concluded that the cloud computing is arguably the most innovative breakthrough the IT industry has witnessed since the move from mainframes to personal computers. Entrepreneurs are increasingly looking at cloud solutions for regular analysis of data that can help grow their businesses.
However, with the opportunities created that are mentioned above such as organizational cost savings and flexibility to scale-up or down the IT infrastructure, there are still a variety of impediments. In the context of SMEs in emerging economies, there is a great interest in cloud computing given the less complexity required and the opportunities created.
Based on this study and confirming other previous studies, greater use and diffusion of ICT among SMEs and with the rapid penetration of cloud computing by SMEs, the potential to boost productivity and create job opportunities could be magnified. In other words, the concrete impact could be both economical and societal. In general, the adoption of cloud computing offers smart, quick and efficient services that can help achieve local and global competitiveness, the critical success factor remains the availability of the required human skills and capacities.
Arguably, with the proper deployment of emerging technologies and new business practices, SMEs can grow by about 20% per year as indicated by many of the entrepreneurs and experts interviewed for this study. However, effective investment in human capital is a priority. They are the differentiating factor and they need to be aware and knowledgeable of what technology can offer. The promising future of Egypt as is the case of many emerging economies will depend less on a few large leading projects in traditional industries and businesses and more on the widespread of unconventional innovative and entrepreneurial ideas and projects that would engage the technology youth community and that can help create a platform for job creation and employment. Startups and SMEs are agents of change and vehicles for economic development and new industries, new breakthroughs and new ventures were always created by new and growing companies.
To sum it up, Egypt needs to establish an ICT-driven ecosystem capitalizing on a creative and talented youth opportunity that can become the base for an entrepreneurial culture and a startup nation.
8) Koparkar, P., & MacKrell, D. (2016). How Fluffy is the Cloud?: Cloud Intelligence for a Not-For-Profit:
Objectives: Business Intelligence (BI) is becoming more accessible and less expensive with fewer risks through various deployment options available in the Cloud. Cloud computing facilitates the acquisition of custom solutions for not-for-profit (NFP) organizations at affordable and scalable costs on a flexible pay-as-you-go basis. In this paper, they explored the key technical and organizational aspects of BI in the Cloud (Cloud Intelligence) deployment in an Australian NFP whose BI maturity is rising although still low. This organization aspires to Cloud Intelligence for improved managerial decision making yet the issues surrounding the adoption of Cloud Intelligence are complex, especially where corporate and Cloud governance is concerned. From the findings of the case study, a conceptual framework has been developed and presented which offers a view of how governance could be deployed so that NFPs gain maximum leverage through their adoption of the Cloud.
Finding: In this paper, the authors argued that cloud governance is essential in this process to align organizational goals with the benefits that can be gained from cloud deployment. They presented a conceptual framework in which suggests that responsibility of governance should remain within the organization, although the responsibility of managing other IT functions may usefully be handed over to the cloud provider. Cloud governance facilitates a better fit for cloud computing services into existing processes of organizations to achieve business and financial objectives. Cloud governance assists to maintain centralized decision-making process which is in-line with the overall strategy of the organization. Governance is not something that can be considered as ‘nice-to-have’, it is something that every organization ‘needs-to-have’. There are undoubtedly a number of risks and uncertainties in transitioning to the cloud, so strong governance and control are an essential part of any decision to move to the Cloud.
This paper represented in one document some of the issues along with governance, security, and risk management issues associated with cloud computing before making any decision about implementing cloud intelligence. A major contribution of this study would be towards the practical aspects of understanding the technological needs of an NFP organization and tackling accordingly the security concerns and threats that arise from using the cloud. As more and more data moves from on-premises to the cloud, it will become more feasible for NFPs and SMEs to deploy BI in the cloud.
Comments: One of the limitations of this paper was that the frameworks have not been validated against supporting data at an operational level. Further research would be required to provide evidence of the effectiveness and feasibility of having in-house cloud governance by SMEs and small NFPs.
Nevertheless, the views presented in this paper about the responsibilities of governance have the potential to stimulate debate.
9) Gholami, A.(2016). Security and privacy of sensitive data in cloud computing: a survey of recent developments:PHD.Thesis Stockholm, Sweden 2016
Objectives : Cloud computing is revolutionizing many ecosystems by providing organizations with computing resources featuring easy deployment, connectivity, configuration, automation, and scalability. This paradigm shift raised a broad range of security and privacy issues that must be taken into consideration. Multi-tenancy, loss of control, and trust are key challenges in cloud computing environments. This paper reviewed the existing technologies and a wide array of both earlier and state-of-the-art projects on cloud security and privacy. They categorized the existing research according to the cloud reference architecture orchestration, resource control, physical resource, and cloud service management layers, in addition to reviewing the existing developments in privacy-preserving sensitive data approaches in cloud computing such as privacy threat modeling and privacy enhancing protocols and solutions. Also, it can be summarized in 3 main questions as follows:
Q1: Can they develop a methodology to formulate privacy
requirements and threats to facilitate compliance with data
protection regulations?
Q2: How do author build privacy-preserving cloud-based systems
from existing approaches in security and privacy?
Q3: How do author increase the safety of an Operating System
(OS) by reducing the risk of kernel exploits?
Finding: This paper surveyed recent advances in cloud computing security and privacy research. It described several cloud computing key concepts and technologies, such as virtualization, and containers. They also discussed several security challenges that are raised by existing or forthcoming privacy legislation, such as the European Union( EU), Data Protection Directive (DPD) and the US Health Insurance Portability and Accountability Act (HIPAA).
The results that were presented in the area of cloud security and privacy are based on cloud provider activities, such as providing orchestration, resource abstraction, physical resource and cloud service management layers. Security and privacy factors that affect the activities of cloud providers in relation to the legal processing of consumer data were identified and a review of existing research was conducted to summarize the state-of-the-art in the field.
Chapter two
Cloud Accounting
Problems solved by cloud accounting
The role of ledgers
The cloud accounting general ledger project
Problems with current business ledger
How transactions are recorded on cloud computing
Evidence
List of companies in Egypt using cloud computing
Tax , tax accounting and value added tax (VAT)
Qualifications of external auditors in Egypt
2.Chapter two: Cloud Accounting Background
2.1 Introduction
Contemporary organizations are the target of a continuous ‘data bombardment’, therefore they quickly reach the need for an efficient way to convert the received data into correctly structured information, able to provide decision support or competitive advantages. Any decision taken at the organizational level, may it be the construction of a new building, or the migration of a business service towards the cloud, requires pertinent and usable information. The accounting professionals working in IT organizations, or in any kind of organization which takes into account the adoption of cloud-based services, often considered that the final decision for or against the adoption of such services exceeds their competence, being the exclusive prerogative of the IT department (Tarmidi, M. et al., 2014). The current paper is an attempt to demonstrate the way an accounting or audit professional may be implied in the final decision regarding a migration towards the cloud, and also the way such professional may use her own knowledge and experience in order to positively influence the final decision, by providing solid points and properly performed efficiency calculations.
As the cloud-based technologies gain more customers each day, the need for understanding the ‘economics of cloud’ arises, together with the need for strategic measurement of different cloud or non-cloud-based infrastructure options. In such context, the option for the cloud technologies cannot be the duty of the IT department only, as the economic drivers are at least as important as the technological ones. Economic measurement of the future cloud computing implementations is required for at least two reasons. First, all types of implementations are investment projects and, by consequence, need to be fully justified before being chosen or rejected. Second, once a cloud strategy is adopted and an infrastructure is implemented, the implementation must be continually monitored, so the organization can be sure that it continues to deliver an optimal return on investment. Gaining maximal return on the implementation of a cloud computing strategy is predicated on the ability to understand the economic metrics. Therefore, the accounting professional can no longer be a simple observer in the process of cloud migration and cloud adoption, but a central piece and a ‘voice of reason’ standing between the typical enthusiasm of the IT department and the typical skepticism of the management
( Mangiuc, D.,2017).
2.2 What Is Accounting?
Accounting can be defined as follows: the systematic recording, reporting, and analysis of financial transactions of a business. Accounting provides financial information to stakeholders. Stakeholders include banks, suppliers, investors, government agencies, and people engaged with an organization, such as its owners and employees. Banks need financial information to assess the condition of a firm before lending money. A profitable organization with positive cash flows can easily acquire loans as compared to one suffering heavy losses and little money. Suppliers need financial information to consider trade credit. Investors will invest their money only in profitable organizations. They determine the profitability of an organization by reading its financial statements. Every business concern is bound by law to report on its revenue and expenses to local government agencies for income tax purposes. In a nutshell, accounting performs the following tasks:
Evaluates profit or loss of a business concern
Provides detailed information about a firm’s net worth
Reports on assets, liabilities, owner’s equity, and profitability (Ahmed, R.,2016).
2.3 The Accounting System
Organizations use accounting systems (either manual or computerized) to store, manage, and provide their financial information to their stakeholders. These systems are implemented to produce financial statements, including income statement, balance sheet, and other accounting reports. They store detailed records of accounts, such as cash, accounts receivable (due from customers), accounts payable (due to suppliers/banks), fixed assets, stocks, and so on (Ahmed, R.,2016).
2.4 Common Problems solved by cloud accounting
The value of cloud-based software is becoming increasingly apparent in accountancy. A number of everyday problems can be extricated through the use of cloud accounting ‘ freeing you up to work smarter and faster while simultaneously increasing your overall productivity.
Here are just some of the common accounting problems that can be overcome with cloud-based software:
Problem(1): Out of data records
Solution: Real-time updates
Cloud-based software allows you and your clients to access data anytime, anywhere and on any device. This makes it possible to keep on top of your business or your client’s accounts and make decisions based on real-time information. As it is accessible by multiple users, communication and collaboration with clients are made much easier too.
Problem(2): Loss of data following physical computer damage
Solution: Data stored remotely, not on an individual system
The cloud is one of the most secure ways you can store data. If your laptop is stolen, you don’t need to worry about someone gaining access to your client’s spreadsheets as they won’t be stored on the hard drive but rather on a remote server hosted on the Internet. The same applies if your computer is damaged or files are accidentally wiped clean.
Problem(3): Data can only be accessed from your office
Solution: Remote access allows flexible working
When information is stored offsite, you have the flexibility to work remotely. Not having to take a round trip back to the office if you’ve been visiting a client saves you time and helps you meet your deadlines whilst working in a way that suits you.
Problem(4): Accounting systems are expensive
Solution: Cloud-based software is affordable and scalable
It can be very expensive to keep up-to-date when using traditional software. It can also be complicated and time-consuming when systems fail; not to mention difficult to guarantee security and keep secure back-ups of data.
Cloud based-software is much simpler to maintain and eliminates the need for an IT specialist; saving money that can be better spent elsewhere. Cloud accounting systems are also flexible and can grow as a business grows so that you’re always offered a bespoke option that matches the demands of your businesses or clients rather than paying for a service which is either too big or too small for the current size of your operations( www.liquidaccounts.com).
2.5 Why companies should use cloud accounting?
If you are like most startup business owners, you are passionate about the work you do. You know that to grow, you will need to dedicate time and money to your company. Your peers and mentors have been suggesting accounting software. Why use accounting software? More than likely, you don’t want to pour resources into your accounting program, but there are ways that cloud accounting software can help you avoid wasting bankroll.
Have you been up against any of the startup problems below? Here are seven ways that online accounting software can help solve them:
( Cameron, A.,2016).
Problem 1: Your financial records are disorganized
How many times have you dug through financial records to find one document? And, we all know the frustration of staring at a computer screen, trying to remember the name of a spreadsheet buried on our hard drive.
Solution: Cloud accounting software streamlines your books.
With online accounting software, you can organize your records in one place. You store your information in the cloud. You can access your accounting from anywhere with an Internet connection.
Problem 2: You are on a tight budget
If you are like most startups, you operate on a tight budget. You want to spend money on growing your business, not overhead costs like an accounting program.
Solution: Cloud accounting software is a low-cost accounting fix.
Online accounting software might be a good fit for new business owners that want to be responsible for tracking their finances without paying high prices.
You can find basic accounting software programs offered for low monthly subscriptions. Some packages include a free trial and no long-term contracts.
Doing your own accounting eliminates the need to hire an in-house bookkeeper and reduces the use of an outside accountant.
Problem 3: You are not good with numbers
How good are you with numbers? Handling your company’s finances with a calculator is not an ideal situation. People make mistakes, and mistakes in your accounting books can be costly.
Solution: Online accounting software computes figures.
Your chances of computing inaccurate figures are far less when you use accounting software. You simply enter your transaction information and the software program calculates figures for you.
Instead of spending hours calculating and checking your numbers, you can let accounting software take care of all the equations for you.
Problem 4: Cash flow keeps you up at night
The best way to project cash flow is to examine detailed, accurate records of your transactions. When your financial statements are mixed in with receipts, quotes, and your child’s school supplies list, you could spend a lot of extra time projecting cash flow.
Solution: Cloud accounting software tracks up-to-date information.
Cash flow helps you understand your income and expenses. Knowing all the moving parts of your accounting gives you a clear picture of your business’s finances.
Cloud accounting software lets you see the location of every penny your company has as each one comes and goes. Cloud accounting software can track unpaid invoices, 1099 payments, and bank transactions. All this information gives you the tools to project cash flow.
Problem 5: You are not an accounting expert
When you start a business, all the tasks of running a company fall on your shoulders. But, hiring extra help is not financially ideal to lighten the workload.
Solution: Get help from experts with cloud accounting software.
Many accounting software companies offer free customer service and support. Customer service representatives answer your questions about the software. You can contact customer service representatives through phone, email, or online chat.
Online software also makes it easier to share information with a financial professional. Accountants help you through difficult accounting practices, like filing taxes. Using cloud accounting software gives your accountant the flexibility to view your records and advise you from anywhere.
Problem 6: You don’t have time for accounting
Filling out paperwork and formatting business documents doesn’t make you money. These tasks can also be very time-consuming.
Solution: Cloud accounting software saves you time.
You can generate pre-set forms with accounting software. You just fill in the blanks. Some cloud accounting software allows you to create and print invoices and 1099s. Cloud accounting software helps you quickly create forms and get back to running your business.
Problem 7: Your records are not protected
Your financial records are too important to risk them being destroyed, lost, or stolen. Even with insurance, you might not be able to recover information from paper documents if something happens. If you store records on your hard drive and your computer gets damaged, your records are gone.
Solution: Cloud accounting software is safe and secure.
Online accounting software stores your information in the cloud. This means that no matter what happens to your computer, your financial information is safe. Software companies protect your accounting records with secure servers, passwords, and encrypted data ( Cameron, A.,2016).
2.6 The role of ledgers
In today’s connected and integrated world, economic activity takes place in business networks that span national, geographic, and jurisdictional boundaries. Business networks typically come together at marketplaces where producers, consumers, suppliers, partners, market makers/enablers, and other stakeholders own, control, and exercise their rights, privileges, and entitlements on objects of value known as assets. Assets can be tangible and physical, such as cars and homes, or intangible and virtual, such as stock certificates and patents. Asset ownership and transfer create value in a business network and are known as transactions. Transactions typically involve various participants like buyers, sellers, and intermediaries (such as banks, auditors, or notaries) whose business agreements and contracts are recorded in ledgers. A business typically uses multiple ledgers to keep track of asset ownership and asset transfers between participants in its various lines of businesses. Ledgers are the systems of record (SORs) for a business’s economic activities and interests (Brakeville S., Perepa B.,2016).
2.7 The Cloud Accountant General Ledger Project
Running your business gets a whole lot easier when you can access your books anywhere and anytime. The Cloud Accountant being developed is a complete double entry cloud accounting application that lets you keep in touch with your business all the time. The intensely competitive market in today’s economy requires that managers continuously improve the way they work and make decisions. Today’s successful managers demand instantaneous information that is both accurate and useful. A traditional desktop accounting system simply cannot cope with these high demands. Only by taking advantage of the power of the latest technology can these demands be met. The goal of the Cloud Accountant is to remove most of the boring bookkeeping work from the business. The application will take over all the simple and monotonous tasks that can eat up precious time. For instance, it will automate all period-end tasks such as closing the books, transferring the closing balances forward, and so on, with just a few clicks. It also facilitates the recording of all purchase and sales transactions, bill payments, and so on. Since the application can process and retrieve business transactions instantly, there will be a quicker response time to customers, suppliers, and creditors, which will ensure better business relations. In addition, it will produce professional-looking financial reports and accounting records quickly and easily. The Cloud Accountant will free up more time, which can be used to work on improving other areas of the business. A paperless environment means less work and less confusion since all information is stored electronically and can be accessed instantaneously. A computerized system will also produce more accurate records. The logic created in this application ensures that all entries are posted properly and that the calculations of key financial data are done correctly. This greatly reduces the potential for human error that is prevalent in manual accounting systems. Because of the inherent structure within the Cloud Accountant, the accounting system around the computer will be simplified and more organized. As a result, the flow of information in all stages of the business cycle will be more logical and efficient. Of great importance are the security features built into the application, which ensure that only authorized people to have access to company’s sensitive financial information. In this application, you will define your own security levels that will allow users to access only what you want them to access. This ensures that data will remain safe, can be easily maintained, and is neat and organized ( Ahmed, R.,2016).
2.8 Problems with current business ledgers
Current business ledgers in use today are deficient in many ways. They are inefficient, costly, nontransparent, and subject to fraud and misuse. These problems stem from reliance on centralized, trust-based, third-party systems, such as financial institutions, clearinghouses, and other mediators of existing institutional arrangements. These centralized, trust-based ledger systems lead to bottlenecks and slowdowns of transaction settlements. Lack of transparency, as well as susceptibility to corruption and fraud, lead to disputes. Having to resolve disputes and possibly reverse transactions or provide insurance for transactions is costly. These risks and uncertainties contribute to missed business opportunities. Furthermore, out-of-sync copies of business ledgers on each network participant’s own systems lead to faulty business decisions made on temporary, incorrect data. At best, the ability to make a fully informed decision is delayed while differing copies of the ledgers are resolved (Brakeville S., Perepa B.,2016).
2.9 How transactions are recorded on cloud computing
There are much software and applications using to record data on cloud computing such as blockchain technology and oracle application.
2.9.1.1 What is blockchain, exactly?
A blockchain is a tamper-proof, shared digital ledger that records transactions in a public or private peer-to-peer network. Distributed to all member nodes in the network, the ledger permanently records, in blocks, the history of asset exchanges that take place between the peers in the network. All the confirmed and validated transaction blocks are linked and chained from the beginning of the chain to the most current block, hence the name blockchain. The blockchain thus acts as a single source of truth, and members in a blockchain network can view only those transactions that are relevant to them (Brakeville S., Perepa B.,2016).
2.9.1.2 What are the business benefits of blockchain?
In legacy business networks, all participants maintain their own ledgers with duplication and discrepancies that result in disputes, increased settlement times, and the need for intermediaries with their associated overhead costs. However, by using blockchain-based shared ledgers, where transactions cannot be altered once validated by consensus and written to the ledger, businesses can save time and costs while reducing risks. Blockchain technologies promise improved transparency among willing participants, automation, ledger customization, and improved trust in record keeping. Blockchain consensus mechanisms provide the benefits of a consolidated, consistent dataset with reduced errors, near-real-time reference data, and the flexibility for participants to change the descriptions of the assets they own. Because no one participating member owns the source of origin for information contained in the shared ledger, blockchain technologies lead to increased trust and integrity in the flow of transaction information among the participating members. Immutability mechanisms of blockchain technologies lead to the lowered cost of the audit and regulatory compliance with improved transparency. And because contracts being executed on business networks using blockchain technologies are smart, automated, and final, businesses benefit from increased speed of execution, reduced costs, and less risk with timely settlements of contracts (Brakeville S., Perepa B.,2016).
2.9.2 Oracle Application Express ( APEX)
Oracle APEX applications are built on technology that resides within an Oracle Database, so all your applications can be easily run on any Oracle platform, from the Oracle Database Cloud Service to your in-house data center to Oracle Database XE on your laptop. Once you have developed an application either on your PC or in the cloud, simply export the application and then import into any other Oracle Database where you have a compatible version of APEX installed. Naturally, you may also deploy your application on the Oracle Database Cloud Service and then allow access to it from anywhere in the world ( Ahmed, R.,2016).
2.10 Evidence
Digital evidence is information stored or transmitted in a binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD. Digital evidence is commonly associated with electronic crime, or e-crime, such as credit card fraud.
2.10.1The definition of a forensic accountant
Multiple terms can be used to describe the individual performing an investigation of a financial nature and may include ‘fraud examiner, fraud auditor; forensic auditor; fraud investigator; financial crime investigator.
According to the Canadian Institute of Chartered Investigators (2013), investigative and forensic accounting engagements ‘require the application of professional accounting skills, investigative skills, and an investigative mindset, and involve disputes or anticipated disputes, or engagements where there are risks, concerns of allegations of fraud or other illegal or unethical conduct’.
According to the Association of Certified Fraud Examiners (ACFE), a forensic accountant plays an important role in the investigation of crimes, such as fraud and corruption and consequently in civil and criminal proceedings. The forensic accountant will use accounting and investigative knowledge to assist in investigations and during litigation (ACFE, 2013).
According to KPMG (2013), a forensic investigation occurs ‘when suspicions of fraud, or bribery and corruption, or financial misconduct and mismanagement surface, specialist independent investigation, support, and advice are required to quickly and effectively deal with these issues’.
2.10.2 Electronic evidence
Evidence that allows assurance of accountability services, verification of compliance with the principles of accountability by service providers and attribution of responsibility for breaches within the chain of accountability is essential.
Traditional forms of evidence are:
Documentary evidence;
Real evidence; and
Viva- voce evidence.
Electronic evidence can further be divided into three categories:
Documents or files that contain content have been written or created by one or more people;
Records that have been generated by a computer and where there is no human interference or input; and
Records that consist of both inputs generated by a computer and human inputs. (Mason, S., and Seng, D.,2017).
2.10.3 Audit and evidence-gathering
IaaS offerings support on-demand cloning of virtual machines. In the event of a suspected security breach, the customer can take an image of a live virtual machine ‘ or virtual components thereof ‘ for offline forensic analysis, leading to less downtime for analysis. With storage on tap, multiple clones can be created and analysis activities parallelized to reduce investigation time. This improves the ex- post analysis of security incidents and increases the probability of tracking attackers and patching weaknesses. However, it does presume the customer has access to trained forensic experts (which is not a standard cloud service as of writing).
It can also provide more cost-effective storage for logs, thus allowing more comprehensive logging without compromising performance. Pay as you go cloud storage brings transparency to your audit storage costs and makes adjusting to meet future audit log requirements easier. This makes the process of identifying security incidents as they happen more efficient ( Rev.B,2012).
2.10.4 Electronic document as an accounting evidenced
In order to obtain specifications presenting appropriately data recorded in the books, it is necessary to ensure
Completeness of information representing single accounting entry,
Creation of accounting specifications exclusively on the basis of verified and recorded accounting documents,
An effective way of linking accounting entries with an underlying source of documents.
The term “electronic document” refers to the form of a document, such as electronic invoice, print from the online banking system, electronic storage document, electronic ticket data from billing systems, etc.
When bookkeeping using the computer the accounting records, made automatically through communication devices, computer storage media or generated by an algorithm (program) on the basis of information already in the books are considered the equivalent of the source evidence.
Such provisions may also occur as a result of the introduction to the books of electronic documents constituting evidence of accounting. Entries entered automatically into the books of accounts (accounting system) shall be considered equivalent to provisions made on the basis of the source evidence, if they meet at least the following conditions:
When registering they become permanently readable and compatible with the contents of the relevant accounting documents.
It is possible to determine the source of the records and the person responsible for their introduction to the books of accounts and further modification.
The applied procedure provides validation of processing of relevant data and the completeness and identity of record.
Source data in place of their creation are properly protected in a way that ensures their persistence, for the period required to store a given type of accounting documents.
Accounting entries are made by a computer system in a sustainable manner, without leaving places to use later insertions or changes. The system provides protection for records against their destruction, modification or covering of entry. In addition, the records in the log and ledger accounts are linked in a way that allows checking their compatibility. Information system provides storage of records in the accounts for a period of not less than required by the Accounting Act.
Each accounting document is defined in the computer system by type of evidence, identification number, the parties engaged in a business transaction, a description of the operation, date of operation and preparation of evidence. These signs provide identification of accounting evidence and comply with the requirements of the Accounting Act. Accounting documents generated by the online system meet the conditions under the Accounting Act and the VAT Act for documenting events subject to VAT.
The collected documents, regardless of the place of origin, may be transferred, edited and accepted within the defined paths of the electronic circuit. Existing “migration” of paper information rules may be replaced by their electronic version, assuming their compliance with the original. It accelerates the way of operations of the company and improves the efficiency of its activities. As a result of the transition to electronic work-flow employees perform tasks in a shorter period of time, the team effectively uses the gathered jointly information and documents, and the company reduces costs resulting from normal transmission and archiving of documents. Programs for reading paper invoices that analyze scanned documents and automatically add to the information on the invoice are more and more commonly used. This allows you to export them to a file, import and proper entry in the accounting program, which is used by the company. An archive is automatically created and allows for the resignation of bulky paper files and searching for documents with the help of searcher and browse them directly in the accounting program. These applications are usually available online, so it does not require any additional installation, investment in hardware or expensive servers. Conditions to use them are an Internet access and a web browser ( Wyslocka, E., Jelonek, D., 2014).
2.11 Egyptian companies 🙁 CIT data base )
There are 6 main companies produce cloud computing service in Egypt:
IBM
Google
Nokia
Microsoft
Hiawei
Ericsson
Also, there are around 28 companies apply cloud computing in Egypt such as:
HP
EMC
Schneider
Vodafone
AUC
CIB
TE ‘data
Blom bank
Chamber of Information technology and Telecommunication held an extensive meeting for member companies to announce the launch of their new initiatives titled by The Road to The Cloud on 29/1/2017. Chamber of Information technology and Telecommunication (CIT) aims to train 60 specialized companies to transfer their software to cloud computing to maximize the utilization of new technology breakthroughs and applications and to keep abreast of global technological transformation as part of its strategy to develop member tools and transfer all their latest and innovative technologies. Achieving growth rates commensurate with their objectives recognizing the new variables in the industry for external expansion and competition (http://ik.ahram.org.eg/News/22606.aspx).
2.12 The tax treatment for cloud computing
2.12.1 Characterizing Cloud Computing Transactions
Characterizing a cloud computing transaction is central to its treatment for sales and use tax purposes. Not only will this often determine whether the transaction is taxable at all, because the state generally may not tax the sale or use of services or intangibles, but even if the service or the intangible is taxable, the characterization of the transaction may have implications for where the transaction is taxable. In their approach to the characterization question, states understandably have often looked to general principles that they have employed in other contexts for characterizing transactions as well as to the particular rules that they have developed for characterizing transactions involving computer software (Thomson R.,2013).
2.12.2 Value Added Tax (VAT)
As part of the consultation exercise, some organizations asked if there are VAT implications in moving to the cloud and a SaaS model. This can be a complex area and organizations would need to take specialist advice from their own tax advisors if they have any concerns or particular issues. VAT is unlikely to be a significant issue for local authorities as they can recover both the VAT payable on cloud services as well the VAT payable on software and equipment purchases, and operating a data center. The implications of a move from traditional IT or from the capital to revenue expenditure are therefore more likely to impact on cash flow rather than budgets and overall costs.
2.12.3 Corporation tax
Corporation tax is only likely to become an issue if special purpose vehicles are used to supply services, for example using a limited company to provide shared services to several organizations. In such cases, you would expect to take specialist tax advice at the early stages of considering these types of corporate structures ( Thornton J.,2017).
2.12.4 Impacts on profit margins and pricing strategies
‘Some American companies have been very surprised by European VAT,’ says Anne Freden, Ernst & Young LLP Tax Partner. With their main offices, servers and content creation all in Silicon Valley ‘ and with customers in Europe who simply log on and access their offerings ‘ these enterprises have found that upward of 20% of what they were posting as revenue was actually owed as a tax. ‘For companies that have grown rapidly, what starts as a small exposure can get very large, very quickly,’ she says. Adds Bollard: ‘Especially if you’re in the business-to-consumer space, it is critical that you correctly factor the impact of VAT into both price points in the market and underlying margin expectations.’ ( Flynn C., 2015) .
With cloud computing as a catalyst for the overhaul of companies’ global cost structures and profit centers ‘ and with steadily increasing volumes of revenue moving through the cloud ‘governments have focused increasing attention on taxing cloud business.
This is primarily driven by one of two motivations:
While some governments focus longer term on building local digital economies ‘even offering CSPs tax incentives to locate in their jurisdictions ‘others are under severe pressure to raise public revenue after years of economic downturn. In addition, some governments seek to protect their local markets, others to preserve local cultural norms or censor unwanted content. Governments’ ability to keep up with the technology varies as well ‘often lagging behind the development of new business models. ‘Now, in the cloud, companies are doing things even more quickly, much more virtually. And that’s just going to increase,’ says Flynn. “Governments have to become more technologically sophisticated to understand this.’ ( Flynn C.,2015).
2.13 Cloud computing challenges
While the use of cloud computing continues to grow, the solutions being adopted are primarily Public clouds, which remain a minority of the overall enterprise IT estate.AS such, there appears to be a greater recognition amongst organizations that the risks relating to the cloud are not significantly different from operating other outsourced relationships or managed services solutions.
Control over cloud computing is vitally important, and many IA functions deploy specialist skills as necessary, including control risk, third-party management, information security and business continuity to assess all aspects and risks around cloud solutions effectively. The majority of organizations, however, are not increasing IA resource devoted to IT risks significantly over IT risk.
2.13.1 Examples of audit reviews could be:
Cloud services implementation: Evaluating the processes by technology to identify and monitor all sanctioned and non-sanctioned cloud service deployments across the organization. Ensure that the standard governance processes around selection, deployment, and security of cloud technologies throughout the business, including due diligence and no- boarding were followed and these are fit for propose. In the case of non-sanctioned or non-compliance cloud deployments, protocols exist to remediate.
service organization controls reviews : A baseline level of assessment over cloud services by scrutinizing the scope and coverage of service auditors reporting standard ( where applicable ) such as ISAE3402 or SSAE16 ( in terms of the systems covered and breadth of relevant control objectives and risks ) or leveraging such reports to gain assurance for internal audit purposes and evaluate vendor control environment (Including annual re-assessment/ benchmarking ).
Control risk and right to audit review: review contractual documentation negotiations with third-party cloud providers to assess against typical control risk and assure over whether a key element of the risk has been covered. Ensure ‘ right to audit ‘ clauses are included in contractual negotiations with cloud vendor so that internal audit has the right to access and review directly cloud vendor internal controls .this could include evaluation of whether key relevant regulatory requirements have been considered and assessed as part of the SLAs agreed, so that cloud computing platforms will not invalidate or breach compliance requirements.
Vulnerability assessments: the ability perform Vulnerability testing against cloud services is recommended where possible as the cloud is an extension of an organization’s enterprise. Cloud providers normally prevent customers requesting this, thought the large size of customer and contract, the more likely requests could be met ( Mcdonough D., 2015).
Computing applications can be outsourced to external service providers; there are always risks when relying on an external vendor in handling a company’s own critical applications, notwithstanding the high cost of such an endeavor. Important applications of a business, including database storage and processing of business events relating to a company’s basic revenue, expenditure, and production processes, should be protected by adequate controls and policies that govern data storage, dissemination, and processing. Because these policies and controls define a company’s internal control environment, which has an impact on the reliability of reporting in annual reports or other statements, audit standards require external financial statement auditors to perform a review and assessment of such controls that a company adopts. For these reasons, decisions that relate to the adoption and use of underlying technologies that dictate a company’s data storage, processing, and data sharing policies place significant constraints on the planning, execution, and skill set required to properly canny out an external financial statement audit or other types of special audit engagements. With modern technologies becoming more widespread but at the same time more complex, it is thus important for auditors to understand not only the nature and potential benefits of new technologies but also the risks they present and the impact they may have on the performance of the audit. (Nicolaou, C. A., et al.,2012)
Following are the possible threats and challenges while choosing cloud computing as an option over traditional data center or server room based option.
Technical Issues ‘ Due to some serious malfunction/dysfunction could lead to denial of access to information and data from the cloud anytime and anywhere at all. The fact is that the technology is always prone to outages and other technical issues. Even the cloud service providers (CSPs) run into trouble, in spite of maintaining high standards of maintenance. Besides this, consumer needs a very good Internet connection (broadband link) to be logged onto the server at all times. A consumer might invariably stick in the case of network and connectivity problems.( Kelkar S.,2015).
Hosting (location of data centers) ‘ The resellers, distributors often offer best plans and consumers buy them without thinking of backend cloud data center location. In case of downtime resellers, distributors do not give rational / reason behind the downtime of service to consumers. Many time physical collocation of data center information was not passed by CSPs to next level, which leads to denial of service to the customer. Since the data lies on the CSPs infrastructure, consumers get worried and do not get the clear idea of uptime of the service. In such cases, SLAs would be useless. In some cases pretending as CSPs, might have outsourced data centers to some other party.( Kelkar S.,2015).
Security in the Cloud ‘ The data/information is being accessed from the internet the major issue is security. Before adopting cloud technology, consumers should know that it might be surrendering all organization information to a third-party i.e. cloud service provider (CSPs), this could be a great risk. Hence, consumer of cloud needs to make absolutely sure that it chooses the most reliable service provider, who will keep your information totally secure. The service level agreement (SLA) with a non-disclosure agreement (NDA) could be signed by both CSPs and the consumer organization. The data security can be achieved by implementation of encryption techniques, SSL / TLS in data communication, Data Access List, Web application security by Firewall (Kelkar S.,2015).
Prone to Attack ‘ storing information in the cloud could make your organization vulnerable to external hack attacks and threats. As nothing on the Internet is completely secure and hence, there is always the possibility of stealth of sensitive data (Kelkar S.,2015).
Prone to copy ‘ There could be possibility of internal staff might copy data, if enough security perimeter and audit mechanism is not installed at CSPs end (Kelkar S.,2015).
Security and Privacy ‘ Cloud computing is different from the traditional computing model, it utilizes the virtual computing technology. Where the user data may be scattered in the various virtual data center rather than stay in the same physical location. Even sometimes across the national borders, at this time, data privacy protection will face the controversy of different legal systems. Attackers might get a chance to analyze the critical task depend on the computing task submitted by the users (Arora P., Chaudhry R. W., Satinder E. P. A,2012).
Reliability ‘ Servers farm in the cloud have the same problems such as your own resident servers. The cloud servers pool also experience downtimes and slowdowns, what the difference is that users have a higher dependent on cloud service provider (CSP) in the model of cloud computing. There is a big difference in the CSP’s service model, once you select a particular CSP, you may be locked-in, thus bring a potential business secure risk (Arora P., Chaudhry R. W., Satinder E. P. A,2012)
Lack of Standards ‘ Clouds have documented interfaces (APIs); however, no standards are associated with these APIs, and thus it is unlikely that most clouds will be interoperable. The Open Grid Forum is developing an Open Cloud Computing Interface to resolve this issue and the Open Cloud Consortium (OCC) is working on cloud computing standards and practices. The findings of these groups will need to mature, but it is not known whether they will address the needs of the people deploying the services and the specific interfaces these services need. However, keeping up to date on the latest standards as they evolve will allow them to be leveraged, if applicable (Dialogic,2010).
Continuously Evolving ‘ User requirements changes as per business demand and also requirements for interfaces, networking, and storage. This means a ‘cloud has to evolve and not to remain static.( Kelkar S.,2015).
Compliance ‘ various countries have regulations towards the storage and use of data on the cloud. Consumer organization requires reporting and audit trails, which cloud service providers (CSP) must enable them to comply with these regulations. Also, the data centers maintained by cloud service providers (CSP) are also subject to compliance towards the regulations.( Kelkar S.,2015).
2.14 Auditors skills towards cloud computing problem
The human element is one of the most important elements that can be invested to achieve success in any project and in any institution and is very important in the cloud computing where he/she is a founding element, he/she is discovered, developed to achieve the objectives of cloud computing and is managed by.
Technical requirements Is to provide a good education for external auditors through accredited courses for university students and employees of audit offices, so that they are ready to pursue and participate in the labor market and absorb the maximum of information at the same time in addition to the provision of appropriate digital technology equipment and computers and systems and Prepares data and provides e-mail services.
President of Oracle announced the provision of programs to support entrepreneurs and small companies in the field of cloud computing. He said that the center specialized in the development of human resources, supports the provision of training and rehabilitation, pointing out that the local market is growing significantly in terms of the number of graduates annually in the field of engineering and information technology and computers.
Oracle has more than 1,500 Middle East customers in cloud computing and has around 19 cloud computing centers around the world (http://www.alborsanews.com/ , 2017).
External IT Audit Experience It is often difficult to find someone from an external audit firm that really understands the technology he /she is reviewing. these are generalities and there are some extremely talented and technical auditors working at external audit firms. The key is to vet this out during the interview process (Davis C. et al., 2011).
‘
Chapter three
Auditors’ background, Independence, Relationships and Threats
‘ Introduction
‘ Types of Audits
‘ Types of Auditors and their duties , functions and relationships
‘ Audit process
‘ Audit report
‘ Audit evidence and documentation
‘ Audit planning and assess audit risk
‘ Auditing cloud computing framework
‘ Legal concerns and regulatory compliance
‘ Determine whether appropriate governance process are in place over the engagement of new cloud services by you company’s employees
‘ Review and evaluate your company’s processes for monitoring the quality of outsourcing operations
3. Chapter three: Auditors’ background, Independence, Relationships and Threats
3.1 Introduction
The word ‘audit’ comes from the Latin word audire, meaning ‘to hear’. According to (Flint.D,1988), an audit is a social phenomenon which serves no purpose or value except its practical usefulness and its existence is wholly utilitarian. (Flint.D, 1988) further, explains, the audit function has evolved in response to a perceived need for individuals or groups in society who seek information or reassurance about the conduct or performance of others in which they have an acknowledged and legitimate interest. (Flint.D ,1998) argues that audit exists because interested individuals or groups are unable for one or more reasons to obtain for themselves the information or reassurance they require. Hence, an audit function can be observed as a means of social control because it serves as a mechanism to monitor conduct and performance and to secure or enforce accountability. Mackenzie (as cited in Normanton, E. L., 1996) in the foreword to The Accountability and Audit of Governments made the following remark: ‘Without the audit, no control; and if there is no control, where is the seat of power?’ All in all, an audit function plays a critical role in maintaining the welfare and stability of the society.
The aim of an audit has always been a dynamic rather than a static one. (Brown, R.1962) asserts that the objective and techniques of auditing have changed during the four hundred years of recognizable existence of auditing to suit the changing needs and expectations of society. It can be observed that the changes in needs and expectations of society are highly influenced by the factors contextual to the economic, political and sociological environment at a particular point in time. Therefore, the review of the historical development of auditing enables one to understand, analyze and interpret the evolution of auditing due to the change in expectations of the society.
To do an audit, there must be information in a verifiable form and some standards (criteria) by which the auditor can evaluate the information. Information can and does take many forms. Auditors routinely perform audits of quantifiable information, including companies’ financial statements and individuals’ income tax returns.
Auditors also audit more subjective information, such as the effectiveness of computer systems and the efficiency of manufacturing operations.
The criteria for evaluating information also vary depending on the information being audited. In the audit of historical financial statements by CPA firms, the criteria may be U.S. generally accepted accounting principles (GAAP) or International Financial Reporting Standards (IFRS).
For the audit of tax returns by the Internal Revenue Service (IRS), the criteria are found in the Internal Revenue Code. In an IRS audit of Boeing’s corporate tax return, the internal revenue agent uses the Internal Revenue Code as the criteria for correctness, rather than GAAP.
For more subjective information, it is more difficult to establish criteria. Typically, auditors and the entities being audited agree on the criteria well before the audit starts.
3.2 Types of Audits
CPA’s perform three primary types of audits as operational audits, compliance audits, and audits of financial statements (Arens et al, 2012, P.12-13).
3.2.1 Operational Audit
Operation audit evaluates the efficiency and effectiveness of any part of an organization’s operating procedure and methods. At the completion of an operational audit, management normally expects the recommendation for improving operations. In operational auditing, the reviews are not limited to accounting. They can include the evaluation of organizational structure, computer, operations, production methods, marketing, and any other area in which the auditor is qualified (Arens et al, 2012).
3.2.2 Compliance Audits
A compliance audit is conducted to determine whether the auditor’s is following a specific procedure, rules, or regulation set by some higher authority.
Results of compliance audits are typically reported to management, rather than outside users because management is the primary group concerned with the extent of compliance with prescribed procedures and regulations. Therefore, a significant portion of work of this type is often done by auditors employed by the organizational units. When an organization such as the Internal Revenue Service (IRS) wants to determine whether individuals or organization issuing the requirements, the auditor is employed by the organization issuing the requirement (Arens et al, 2012).
3.2.3 Audits of Financial Statements
A financial statement audit is the examination of an entity’s financial statements and accompanying disclosures by an independent auditor. The result of this examination is a report by the auditor, attesting to the fairness of presentation of the financial statements and related disclosures. The auditor’s report must accompany the financial statements when they are issued to the intended recipients.
3.3 Types of Auditors and Their Duties, Functions, and Relationships
There are two types of audit functions that exist today. They have very important roles in assuring the validity and integrity of financial accounting and reporting systems. They are the internal and external audit functions.
3.3.1 The Internal Audit Function
The internal audit function is a control function within a company or organization. The primary purpose of the internal audit function is to assure that management authorized controls are being applied effectively. The mission, character, and strength of an internal audit function vary widely within the style of top executives and traditions of companies and organizations. IT audits is one of the newer, emerging areas of support for internal audit. The internal audit group, if appropriately staffed with the resources, performs the monitoring and testing of IT activities within the control of the organization. Of particular concern to private corporations is the processing of data and the generation of information of financial relevance or materiality. The IA department reports directly to the president or board of directors. An IA must be independent of the department heads and other executives whose work he reviews. IA, however, can never be independent in the same sense as the independent auditors because they are employees of the company they are examining.
3.3.2 The External Auditor
The external auditor evaluates the reliability and the validity of systems controls in all forms. The principal objective of their evaluation is to minimize the amount of substantial auditing or testing of transactions required to render an opinion on a financial statement. External auditors are provided by public accounting firms and also exist in government as well. They can examine the work of both federal and private organizations.
3.3.3The relationship between the external and internal auditors
The coordination of internal audit activity with external audit activity is very important from both points of view: from external audit’s point of view is important because, in this way, external auditors have the possibility to raise the efficiency of financial statements audit; the relevancy from internal audit’s point of view is assured by the fact that this coordination assures for the internal audit a plus of essential information in the assessment of risks control (Dobro”eanu, L. and Dobro”eanu C.L., 2002).
The important of the relationship from internal audit and external audit is reflected also by International Standards of Audit ( 610- considering the work of internal audit ) which foresees, among others :
Both the internal and external auditors play an important role in ensuring such a process, where the internal auditor works within the company ensuring the effectiveness and efficiency within the firm and the external auditors works as the independent assessor for the competence and reliance of the financial data of the firm (Pop, A., et al .,2008).
The external auditor should obtain a sufficient understanding of internal audit activities to identify and assess the risks of material misstatement of the financial statements and to design and perform further audit procedures.
The external auditor should perform an assessment of the internal audit function when internal auditing is relevant to the external auditor’s risk assessments.
3.3.4 Similarities and differences between internal audit and external audit
The researcher will present the main similarities that could be identified between internal and external audit:
Both internal audit and external audit profession are governed by one set of international standards issued by the professional organism-specific for each profession. This set of international standards includes the professional standards and the ethical code.
Risk is a very important element the planning process for both internal and external auditors.
For both professions, the independence of the auditor is very important.
Internal and external audit are both concerned over the internal control system of the organization.
Both functions are interested in the cooperation between internal and external auditors.
For both functions, the results of their activity are presented through audit reports. (Pop, A., et al .,2008)
Next the researcher will try to underline the main differences between internal and external audit functions:
Table 1. Different between internal and external audit functions ” Source: (Pop, A. et al. ,2008)
No. Criterions Internal Audit External audit
1 Position inside the organization The internal auditors’ are part of the organization. Their objectives are determined by professional standards, the board, and management. Their primary clients are management and the board. External auditors are not part of the organization but are engaged by it. Their objectives are set primarily by statute and their primary client – the board of directors.
2 Objectives The internal auditor’s scope of work is comprehensive. It serves the organization by helping it accomplish its objectives, and improving operations, risk management, internal controls, and governance processes. Concerned with all aspects of the organization – both financial and nonfinancial – the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes. The primary mission of the external auditors is to provide an independent opinion on the organization’s financial statements, annually.
3 Independence Internal audit must be independent from the audited activities. External audit is independent from its client, the organization, its independence being specific to liberal professions.
4 Approach of internal control Internal audit regards all the aspects regarding the organization’s internal control system. External audit regards the internal control system only from the materiality perspective, which permits them to eliminate those errors that aren’t significant, because they don’t have influences over the financial results.
5 Applying of the audit Internal audit covers all the organization’ transactions. External audit covers only those operations that have a contribution at the financial results and the performances of the organization.
6 Frequency of the audit Internal audit performs during the entire year, having specific missions established in according with the level of risks identified for each auditable entity. External audit is an activity with a yearly frequency, as a rule, at the end of the year.
7 Approach of risk The importance of risk for the planning of internal audit activity is very high, the assessment of risk being combined with other types of information like financial and operational. External audit uses the information of risks for the determination of nature, period of time and necessary audit procedures that should be performed in the auditable area, taking into consideration only financial aspects.
8 Consideration of risk factors Internal audit takes into consideration at least next risk factors: (Colbert, J.L., 1995): – Ethical climate and pressure on management to meet objectives;
– Competency, adequacy, and integrity of personnel;
– Asset size, liquidity, or transaction volume;
– Financial and economic conditions;
– Competitive conditions;
– Impact of customers, suppliers, and government regulations;
– Date and result of previous audits;
-Degree of computerization;
– Geographic dispersion of operations;
-Adequacy and effectiveness of the system of internal control;
– Organizational, operational, technological, or economic changes;
– Management judgments and accounting estimates;
– Acceptance of audit findings and corrective action taken; External audit takes into consideration next risk factors: (Colbert, J.L., 1995): – Management operating and financial decisions are dominated by a single person;
– Management’s attitude toward financial reporting is unduly aggressive;
– Management, particularly senior accounting personnel, turnover is high;
– Management places undue emphasis on meeting earnings projections;
– Management’s reputation in the business community is poor;
-Profitability of entity relative to its industry is inadequate or inconsistent;
– Sensitivity of operating results to economic factors is high;
– Rate of change in entity’s industry is rapid;
– Entity’s industry is declining with many business failures;
– Organization is decentralized without adequate monitoring;
– Internal or external matter raises substantial doubt about the entity’s ability to continue as a going concern;
– Contentious or difficult accounting issues are prevalent;
– There are significant and unusual related party transactions not in the ordinary course business;
– Nature, cause (if known), or amount of known and likely misstatements detected in the audit of prior period’s financial statements is significant;
– The Client is new with no prior audit history or sufficient information is not available from the predecessor auditor.
9 Approach of fraud Internal audit is concerned about the frauds from all activities from the organization. External audit is concerned only about the fraud from financial areas.
3.4 Auditing process
The audit is essentially an assurance function that some standard, method, or practice is followed. Depending on the type of audit, the auditor systematically examines the evidence for compliance to established criteria. The best practice in effective IT auditing is to start with an understanding of business functions, to identify which IT infrastructure is providing those functions, and to then consider the scope of the audit and controls best suited for that IT function. The same holds true for IT infrastructure and services provided by the cloud. In fact, most cloud providers are using IT systems models similar to those of their clients. These include: securing workstation (access) and server devices, core services (such as identity and authorization), and monitoring and logging functions. Therefore, many of the same controls and control frameworks (like COBIT or NIST) typically used for systems audits are also usable for auditing systems that are hosted or provided by cloud vendors.
But as businesses move into cloud environments, certain changes occur that auditors must recognize as the move changes the scope of the audit and introduces new risk to systems. Cloud architectures are different from systems hosted by traditional infrastructure and auditors should pay close attention Most auditors will find that audit of cloud infrastructure should be similar to an audit of localized internal infrastructure but will have some uniquely important control areas: those that control access, authorization, and trusted control frameworks. The auditor must consider the business function that is being supported by the IT services or system that is being moved into the cloud. Questions about communications latency, data breach notification, and international laws (where the provider infrastructure moves data between international data centers) are all new potential issues for the cloud-hosted system. Auditors should study cloud solutions carefully since effective audits, including appropriate scope and controls, will be unique to each system. Audit in the cloud does have similar issues to standard infrastructure auditing that should be considered’such as clearly addressing conflict of interest and independence of the auditor, professional auditing practices and adequate technical training and proficiency of the auditor, and audit reports that clearly assert findings and qualified opinions-based evidence and documentation. The audit will be different for the cloud depending on the deployment model of cloud outsourcing (private, public, community, or hybrid) and service model Software as a Service [SaaS], Infrastructure as a Service [IaaS], Platform as a Service [PaaS]. The essential differences will be most evident in the public and hybrid types of clouds’as these will rely most heavily on contracts and (possibly complex) agreements and compliance to those agreements. And because the use of the cloud implies the use of the Internet and ”extension” of the corporate network, all cloud models vary in features and controls that must be considered while planning and executing an audit (Ben Halpert, 2011).
A typical audit has several interrelated stages or activities as follow
3.4.1′ Research and Information Gathering
This process includes interviews with staff and requests for documents and data. The purpose is to help them better define where auditors may or may not assign audit resources. This advance process results in a better-focused audit effort and allows them to determine if the value will likely be added from doing the audit. ( Thomas P. DiNapoli,2016).
3.4.2 ‘ Entrance Conference
An entrance conference establishes a climate of cooperation, informs local government officials and other top management about the audit process and offers officials the opportunity for input. ( Thomas P. DiNapoli,2016).
3.4.3 ‘ Preliminary Audit Survey
The audit team conducts a survey of organizational and operational information before the major audit effort begins. The objective is to develop a complete understanding of the organization and the areas that will be audited. ( Thomas P. DiNapoli,2016).
3.4.4” Fieldwork Phase
This phase consists of the focused audit effort and usually comprises the single largest amount of time. The examiner in charge (EIC) supervises the day-to-day activities of the on-site audit team to ensure quality audit work is completed within predetermined time frames. ( Thomas P. DiNapoli,2016).
3.4.5” Preliminary Audit Findings
After completing the fieldwork phase for each audit segment, the EIC or other audit staff will discuss the findings and conclusions with involved local government management. ( Thomas P. DiNapoli,2016).
3.4.6” Exit Conference
At the completion of fieldwork, they will send a draft copy of written findings and recommendations, and instructions for responding to audit to each member of the governing board, the chief executive officer, and any other appropriate local officials. Audit team members will schedule an exit conference with appropriate local government management to discuss these findings and recommendations. The exit conference provides local officials the opportunity to clarify issues that are to be included in the final audit report.( Thomas P. DiNapoli,2016).
3.5 Audit Report
The audit report is the final step in the entire audit process. The auditor must gather a sufficient and competent evidence to justify his opinion on the financial statements.
3.5.1 Reporting Standards
The four reporting standards require the auditor to prepare a report on the financial statement taken as a whole, including information disclosures. The reporting standards require:
The report shall state whether the financial statements are prepared in accordance with GAAP.
The report shall identify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period.
Informative disclosures in the financial statements are to be regarded as reasonably adequate unless otherwise stated in the report.
The report shall show the auditor’s opinion on the financial statements, taken as a whole, or an assertion to the effect that the opinion cannot be expressed, and then the reasons must be stated.
In all cases where the auditor’s name is associated with the financial statements, the report should contain a clear-cut indication of the character of the auditor’s work and the degree of responsibility he is being.
3.5.2 Auditor’s Standard Report
It is important to note that auditor’s reports on financial statements are neither evaluations nor any other similar determination used to evaluate entities in order to make a decision. The report is only an opinion on whether the information presented is correct and free from material misstatements, whereas all other determinations are left for the user to decide. Because of its importance in a financial statement audit, a basic understanding of the form and content of the standard report is essential. The standard report consists of three paragraphs and prescribed languages. The three paragraphs are referred to as the introductory, scope, and opinion paragraphs, respectively.
3.5.3 Types of Audit Report
There are four categories of audit reports as follows:
1.Standard unqualified audit report: Often called a clean opinion, an unqualified audit report is issued when an auditor determines that each of the financial records provided by the business is free of any misrepresentations. In addition, an unqualified opinion indicates that the financial records have been maintained in accordance with the standards known as Generally Accepted Accounting Principles (GAAP). This is the best type of report a business can receive.
2.Unqualified audit report with explanatory paragraph or modified wording: meets the criteria of a complete audit of satisfactory results and financial statements that are fairly presented, but the auditor believes it is important or is required to provide additional information. In a qualified, adverse, or disclaimer report, the auditor either has not performed a satisfactory audit, is not satisfied that the financial statements are fairly presented, or is not independent. This type of modified wording report is also called shared opinion or report. A shared unqualified report is appropriate when it is impractical to review the work of the other auditor or when the portion of the financial statements audited by the other CPA is material in relation to the whole (Arens, 2012).
3.Qualified Opinion: where the auditor disagrees with or is uncertain about one or more particular items in the financial statements which are material but not fundamental to an understanding of the statements, a qualified opinion should be given (Annual report of KPMG 2011 ).
4.Adverse or Disclaimer Opinion:
A. Adverse Opinion: The auditor issues an adverse opinion if he or she believes that the Financial statements are misleading or materially misstated to the point where they do not fairly represent the financial position or results of the company operations. An adverse opinion can be issued only when the auditor has knowledge of the absence of conformity. It is used only when the departure from GAAP is extremely material. Because this uncommon, the adverse opinion is frequently not used.
B. Disclaimer Opinion: On some occasions, an auditor is unable to complete an accurate audit report. This may occur for a variety of reasons, such as an absence of appropriate financial records. When this happens, the auditor issues a disclaimer of opinion, stating that an opinion of the firm’s financial status could not be determined.
Figure No.1 Four Categories of Audit Reports
Source: (Arens, 2012, P.49)
3.5.4 SAS 70 on Reports
When auditing vendors, you need to understand SAS (Statement on Auditing Standards) 70 reports. SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to deal with service organizations. It essentially provides a standard by which service organizations (such as those that provide IT services) can demonstrate the effectiveness of their internal controls without having to allow each of their customers to come in and perform their own audit. Without this standard, service organizations would expend a prohibitive volume of resources responding to audit requests from each customer. With this standard, service organizations can hire a certified independent service auditor (such as Ernst & Young) to perform an SAS 70 audit and issue a report.
This report can, in turn, be presented to any customers requiring evidence of the effectiveness of the service organization’s internal controls. SAS 70 reports have become particularly important since the implementation of Section 404 of the Sarbanes-Oxley Act in 2002, as companies can use them as evidence of the effectiveness of internal controls over many aspects of financial processing and reporting that have been outsourced. Without them, any company providing financial services would be bombarded with Sarbanes-Oxley audits from all of their customers, as opposed to being able to hand each customer the same SAS 70 report. SAS 70 service auditor reports are of two types: Type 1 and Type 2. Both types include a description of and an opinion on the design of the service organization’s internal controls at a point in time.
However, only a Type 2 report contains the results of testing by the service auditor regarding whether the controls were operating effectively during the period under review to provide assurance that the control objectives were achieved. As an auditor, you will want your service providers to provide a Type 2 report, as Type 1 reports do not provide evidence that the controls are operating effectively. For Sarbanes-Oxley purposes, it is also recommended that you influence your vendors to have their SAS 70 Type 2 audits performed with an end date of the examination period that falls within three months of the end of your fiscal year. Type 2 examinations are usually performed with an examination period of six to twelve months. So if the review period ends 6/30 and your fiscal year ends 12/31, the results will be six months’ old by the time you use it for your certification. This is not ideal, but Sarbanes-Oxley guidance does provide directions for how to deal with it, so the report still has value (Davis C., et al.,2011).
3.6 Audit Evidence & Documentation
3.6.1 Audit Evidence
Evidence is defined as: any information used by the auditor to determine whether the information being audited is stated in accordance with the established criteria. The information varies greatly in the extent to which it includes information that is highly persuasive, such as the auditor’s count of marketable securities, and less persuasive information, such as responses to questions of client employees (Arens, 2012).
3.6.2 Audit Evidence Decisions
A major decision facing every auditor is determining the appropriate types and amounts of evidence needed to be satisfied that the client’s financial statements are fairly stated. There are four decisions about what evidence to gather and how much of it to accumulate:
1. Which audit procedures to use?
2. What sample size to select for a given procedure?
3. Which items to select from the population?
4. When to perform the procedures?
An Audit Procedure is the detailed instruction that explains the audit evidence to be obtained during the audit. It is common to spell out these procedures insufficiently specific terms so an auditor may follow these instructions during the audit. The list of audit procedures for an audit area or an entire audit is called an Audit Program. The audit program always includes a list of the audit procedures, and it usually includes sample sizes, items to select, and the timing of the tests. Many auditors use electronic audit software packages to generate audit programs. These software programs help the auditor address risks and other audit planning considerations and select appropriate audit procedures (Arens, 2012).
3.6.3 Types of Audit Evidence
In deciding which audit procedures to use, the auditor can choose from eight broad categories of evidence, which are called types of evidence. Every audit procedure obtains one or more of the following
Physical examination: Is the inspection or count by the auditor of a tangible asset. This type of evidence is most often associated with inventory and cash, but it is also applicable to the verification of securities, notes receivable, and tangible fixed assets. There is a distinction in auditing between the physical examination of assets, such as marketable securities and cash, and the examination of documents, such as canceled checks and sales documents. If the object being examined, such as a sales invoice, has no inherent value, the evidence is called documentation (Arens, 2012).
Confirmation: Audit evidence that is from an external independent source is more credible than evidence from an internal source. Most financial auditors confirm balances (e.g., creditor’s balances and debtor’s balances) by sending out confirmation letters to external independent sources such as banks and vendors. However, in the majority of IT audits, audit evidence is derived from the system configurations. Configurations obtained by an auditor through observation of the system or via a reliable audit software tool are more reliable than data received from the auditee (Kamau O.,2012).
Documentation: Is the auditor’s inspection of the client’s documents and records to substantiate the information that is, or should be, included in the financial statements. The documents examined by the auditor are the records used by the client to provide information for conducting its business in an organized manner and may be in paper form, electronic form, or other media. Because each transaction in the client’s organization is normally supported by at least one document, a large volume of this type of evidence is usually available. Documentation is widely used as evidence in audits because it is usually readily available at a relatively low cost. Sometimes, it is the only reasonable type of evidence available. (Arens, 2012).
Analytical procedures: consist of comparing items, for example, current year financial information with prior year financial information and analyzing predictable relationships such as the relationship of trade receivables with revenue. It can also be used to help identify any unusual trends or characteristics within the financial statements. What determines whether audit evidence is sufficient and appropriate will depend on a number of factors, such as:
The risk assessment.
The nature of the accounting and internal control systems.
Materiality.
The auditor’s experience of previous audits including the auditor’s knowledge of the business and the environment in which it operates.
The results of audit procedures.
The source and reliability of the information available (Radu.F and Ramona.F, 2011).
Inquiries of the client: involves seeking information from knowledgeable persons inside or outside the entity. Confirmation is the name given to a specific form of inquiry that is particularly widely used. It involves obtaining written confirmation from a third party, typically, although not exclusively, in relation to an account balance in which the third party has an interest. (Radu.F and Ramona.F, 2011).
Recalculation: involves checking the arithmetic accuracy of client’s records (Collings Steve, ISA 500 ‘ Audit evidence, http://www.accountancystudents.co.uk.) . Auditors commonly recalculate a company’s accounting reports or documents as part of the audit process. These procedures apply to financial statements, reconciliations, cost reports and other documents.
Auditors use these technical procedures to ensure a company is accurately applying basic accounting principles to its financial transactions. Conducting these recalculations independently also allows auditors to review information in individual financial accounts to ensure these items are correctly entered into the accounting ledger. (Radu.F and Ramona.F, 2011).
Re-performance: Re-performance is the auditor’s independent tests of client accounting procedures or controls that were originally done as part of the entity’s accounting and internal control system. Whereas recalculation involves rechecking a computation, re-performance involves checking other procedures. Another type of re-performance is for the auditor to recheck transfers of information by tracking information included in more than one place to verify that it is recorded at the same amount each time. ( Arens,2012).
Observation: It is suggested that observation should be carried out by two auditors. This is to corroborate what the auditor observed and to avoid instances in which management refutes the findings of the observation. In addition, observation is key in establishing segregation of duties. When auditing, where possible, the auditor should spend some time with the auditees. This will afford the auditor the opportunity to see exactly what is happening, not what should happen (Kamau O.,2012).
Figure No. 2 Shows the relationships among auditing standards, types of evidence, and the four evidence decisions. Auditing standards provide general guidance in three categories, including evidence accumulation. The types of evidence are broad categories of the evidence that can be accumulated. Audit procedures include the four evidence decisions and provide specific instructions for the accumulation of evidence.
Figure No.2 Relationships among auditing standards, Types of evidence, and the four audit evidence decisions
Source: (Arens, 2012, P.180)
3.7 Audit Documentation
3.7.1 Audit Documentation
Audit documentation is an essential element of audit quality. Although documentation alone does not guarantee audit quality, the process of preparing sufficient and appropriate documentation contributes to the quality of an audit. The auditor must prepare audit documentation in connection with each engagement in sufficient detail to provide a clear understanding of the work performed, including the nature, timing, extent, and results of audit procedures performed. The evidence obtained and its source and the conclusions reached (Bragg, Steve M., Wiley Practitioner’s Guide to GAAS 2010).
3.7.2 Effect of Technology on Audit Evidence and Audit Documentation
Audit evidence is often available only in electronic form, and auditors must evaluate how this affects their ability to gather sufficient appropriate evidence. In certain instances, electronic evidence may exist only at a point in time. That evidence may not be retrievable later if files are changed and if the client lacks backup files. Therefore, auditors must consider the availability of electronic evidence early in the audit and plan their evidence gathering accordingly.
When evidence can be examined only in machine-readable form, auditors use computers to read and examine the evidence. Commercial audit software programs, such as ACL and Interactive Data Extraction and Analysis (IDEA) software, are designed specifically for use by auditors. These programs are typically Windows-based and can easily be operated on the auditor’s desktop or notebook computer.
The auditor Obtains copies of client databases or master files and uses the software to perform a variety of tests of the client’s electronic data. These audit software packages are relatively easy to use, even by auditors with little IT training, and can be applied to a wide variety of clients with minimal customization. Auditors may also use spreadsheet software to perform audit tests. Auditors often use engagement management software to organize and analyze audit documentation. Using audit management software, an auditor can prepare a trial balance, lead schedules, support audit documentation, and financial statements, as well as perform ratio analysis.
The software also facilitates tracking audit progress by indicating the performance and review status of each audit area. Tick marks and other explanations, such as reviewer notes, can be entered directly into computerized files. In addition, data can be imported and exported to other applications, so auditors may download a client’s general ledger or export tax information to a commercial tax preparation package. Auditors also use local area networks and group share software programs to access audit documentation simultaneously from remote locations ( Arens,2012).
3.8 Audit Planning & Assessing Audit Risk
3.8.1 Audit Planning
The objective of the auditor is to plan the audit so that it will be performed in an effective manner. The auditor should establish an overall audit strategy that sets the scope, timing, and direction of the audit and that guides the development of the audit plan ( AICPA,2016).
Figure No.3 Planning an Audit and Designing an Audit Approach
Source: (Arens, 2012, P.210)
3.8.2 Assess Audit Risk
The assessment of risks is based on audit procedures to obtain information necessary for that purpose and evidence obtained throughout the audit. The assessment of risks is a matter of professional judgment, rather than a matter capable of precise measurement. Audit risk is the risk that an auditor may give an inappropriate audit opinion on financial statements that are materially misstated. To reduce the audit risk to an acceptably low level means the auditor needs to be more than certain that the financial statements are not materially misstated. This is reiterated by ISA 200, which states, ‘The auditor should plan and perform the audit to reduce audit risk to an acceptably low level that is consistent with the objective of an audit”(ISA 200, 2009). Otherwise, it also defines audit risk as “the risk that the auditor may unknowingly fail to appropriately modify his opinion on the financial statement that is materially misstated, and therefore, the risk that financial statement will include material misstatement. The more certain the auditor wants to be that he is expressing the correct opinion, the lower will be the audit risk he is willing to accept (SAS 47, 2006).
A risk assessment is a process wherein the stakeholders try to analyze and agree on a particular threat to a specific system (or component) and the probability of an occurrence. The exercise is sometimes scientific, but often involves an element of guesswork when data points are lacking. For this reason, it is sometimes considered a flawed practice, but it is also the best way to identify and document the threat and mitigation for a particular system at a particular time. The risk assessment itself can be seen as both an activity and a product. The product should be constantly reviewed and protected at the same time. An auditor should be able to review the risk assessment product and observe the risk assessment process. The consideration of risk management and the risk assessment is suited to a solid discussion during the cloud computing audit. The wide range of unique risks facing the organization make this an important subject and depend on the type and model of the cloud solution, the uniqueness of the client environment, and the specifics of data or an application. As we have pointed out above, many of the risks to cloud environments are similar and in some cases, the same as traditionally hosted and outsourced IT systems. The auditor will recall and focus on these common items: ( Ben Halpert,2011).
Gaps in control between processes performed by the service provider and the organization
Compromises of system security and confidentiality
Solutions selected incorrectly or with significant missing requirements
Discrepancies in contracts and gaps between business expectations and service provider capabilities
Costly compensating controls
Reduced system availability and questionable integrity of information
Poor software quality, inadequate testing, and a high number of failures
Failures to respond to relationship issues with optimal and approved decisions
Insufficient allocation of resources
Inability to satisfy audit/assurance charter and requirements of regulators or external auditors
Fraud
None of these are common controls, and each is likely to require an independent assessment of risk and mitigation by the sourcing firm. In addition, cloud environments and projects generate new risks due to a number of issues that are somewhat unique to this new computing model. The complexity brought about by dependency on third-party providers brings up unique problems that can be challenging’problems that almost always require specific address: vulnerability of communications channels, external interfaces, and reliance on self-imposed controls. The auditor will often uncover increased risks in cloud data centers because relationships with outside providers are not transparent to his organization. He will grapple with the issues and complexity of local and international laws. Compliance with these laws is difficult, due to the newness of the cloud business model, the potential for data flow through foreign countries, and the likelihood that incident and privacy laws will vary significantly in certain countries. Unique to the industry is a variety of technical challenges with operations that include the needs of the facility to grow rapidly and balance load requirements, the co-location of facilities with other businesses (including competitors), and the untested nature of the business model ( Ben Halpert,2011).
3.8.3 Audit and Risk
Continuous changes in technology offer the internal auditing (IA) profession both great opportunity and risk. Before attempting to provide assurance on the systems and processes, an IA should understand the changes in business and information systems, the related risks, and the alignment of strategies with the enterprise’s design and market requirements. The IA should review management’s strategic planning and risk assessment processes and its decisions. It is the responsibility of operational management to identify, assess, and manage risk. It is information system (IS) Audit’s responsibility to assist management in this process by facilitating the identification and assessment of risk and by assisting management monitor how well risks are actually being managed by the business.
People with Internal IT Audit Experience at Other Companies These people are the most likely to come on board and quickly contribute. Ensure that their IT audit shops had the same focus as yours. (That is, if you plan to be a comprehensive IT audit shop, you might not want to bring in someone from an IT audit shop that reviewed things only at the application layer.) They are the most likely to have performed in-depth technical reviews and understand the importance of positive relationships with audit customers.
People with External IT Audit Experience these people can provide a valuable asset to the team, bringing a deep understanding of audit theory. Unfortunately, many of the auditors at ‘Big 4′ external auditing companies do not perform in-depth technical reviews. During their IT audits, they tend to skim the surface and focus on generic general controls. It is often difficult to find someone from an external audit firm that really understands the technology he or she is reviewing. These folks are the most likely to hurt your credibility with your audit customers and give you a reputation of not really understanding how things work. They are also the most likely to push for all controls to be 100 percent mitigated instead of bringing some perspective to the table that not all issues are created equal. Again, these are generalities and there are some extremely talented and technical auditors working at external audit firms. The key is to vet this out during the interview process ( Chris .D, et al., 2011).
Many organizations do not have the resources available to identify, analyze, and control all business risks from an IS perspective. Implementing a formal risk assessment process assists by providing a consistent method for selecting high-impact risks on which to focus audit resources. During the risk assessment, IS Auditors develop an understanding of the operation’s business in order to facilitate the identification and assessment of significant risks to and from the IS. This assessment is then used to allocate audit resources to areas within the organization that provide executive management and the Audit Committee with the most efficient and effective level of audit coverage.
Based upon the individual risk positions adopted, companies will have many different risk mitigation interventions, such as insurance coverage, financial instruments, compliance, and internal audit functions. Management must understand that internal audit does not replace management’s responsibility to control its own risk to acceptable levels (Richard E. Cascarino, 2007).
3.8.4 Audit Risk Components
Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. Audit risk is a function of material misstatements and detection risk ( www. theelsesite.wordpress.com).
Audit Risk = Inherent Risk x Control Risk x Detection Risk
Source (Steve Obock, 2017)
It has two elements:
The risk that the financial statements contain a material misstatement (inherent risk and control risk).
The risk that the auditors will fail to detect any material misstatements (detection risk).
Figure No.4 Elements of risk
Source (www. theelsesite.wordpress.com)
As you can see from the above figure, audit risk has two major components:
The risk of material misstatement arising in the financial statements independent of the entity, and cannot be influenced by the auditors. It is a product of inherent risk and control risk.
Detection risk is dependent on the auditor and is the risk that the auditor will not detect material misstatements in the financial statements.
The following are the components of risks:
Figure No.5 Components of Audit Risk
Source (www. theelsesite.wordpress.com)
3.8.4.1 Inherent risk
Inherent risk is the susceptibility of an assertion to a misstatement and that could be material individually or when aggregated with other misstatements, assuming there were no related internal controls.
Inherent risk is the risk that items will be misstated due to characteristics of those items, such as the fact they are estimates or that they are important items in the accounts. They auditors must use their professional judgment and al available knowledge to assess inherent risk. If no such information or knowledge is available then the inherent risk is high.
3.8.4.2 Control risk
Is the risk that a misstatement that could occur in an assertion and that could be material, individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal control.
3.8.4.3 Detection risk
Is the risk that the auditor’s procedures will not detect a misstatement that exists in an assertion that could be material, individually or when aggregated with other misstatements.
Detection risk is the component of audit risk that the auditors have a degree of control over, because, if the risk is too high to be tolerated, the auditors can carry out more work to reduce this aspect of audit risk, and therefore audit risk as a whole.
3.8.5 Acceptable audit risk
Is a measure of how willing the auditors is to accept that the financial statement may be materially misstated after the audit is completed and an unqualified opinion has been issued. When auditors decide on a lower acceptable audit risk, they want to be more certain that the financial statements are not material misstated (Arens, 2012).
3.8.6 Audit risk based approach in cloud computing environment and internal auditor
Process auditing has become much more important as an auditor must begin the audit planning by understanding the objectives of each business process and then determine whether these objectives have been incorporated into the client’s processes, while adequately considering risks and internal controls (Bierstaker, et al., 2001). According to (Halpert,2011), An auditor should be able to review the risk assessment product and observe the risk assessment process.(Singleton,2010)proposes a risk-based approach that encourages effective risk assessment and auditing for the identified risks. The very best Internal Audit functions are regarded as a catalyst for change, helping the organization through the difficulties of changing environments, cultures, and so on. (Phil G., 2005) So IT auditors need to understand these technologies, establish an approach for identifying the key risks and develop effectual audits of the technologies for those risks.
However, the Risk-Based Approach (RBA) process for cloud computing is complicated by the fact that all of the technologies and controls are housed outside the entity being audited (Singleton, 2010). The cloud user is strongly advised to perform a risk assessment of any system proposed for the cloud environment. In some cases, the assessment of risk will be performed as part of enterprise risk management and should be adjusted to address specific risks associated with different vendors, specific cloud offerings, existing compliance requirements, and data sensitivity. The wide range of unique risks facing the organization make this an important subject and depend on the type and model of the cloud solution, the uniqueness of the client environment, and the specifics of data or an application (Halpert, 2011).
3.8.7 Review and evaluate the vendor’s physical security
Physical security impacts logical security because physical access can override some logical access controls. You can have excellent logical security, but if someone can walk in off the street and walk off with the computer (or perhaps just the disk drive or tape cartridges) containing your systems and data, you will at a minimum experience a disruption of service, and if the data is not adequately encrypted, you may also be looking at a security breach (Davis C., et al., 2011).
3.9 Auditing Cloud computing framework
3.9.1 Auditing Cloud computing framework in performing a risk assessment base on the components are Infrastructure As A Service (IAAS) and Software As A Service (SAAS)
(Singleton,2010) asserts that IT auditors need to understand cloud technology, especially SaaS and IaaS; establish an approach for identifying key risks, and develop effective audits. There is a simple framework for thinking about cloud computing that should help IT auditors in performing a risk assessment. The components are Infrastructure as a Service (IaaS) and Software as a Service (SaaS)’almost identical to the way we think of the body of technologies internal to an entity.
A. Auditing Cloud computing framework in performing a risk assessment base on the components are Infrastructure As A Service (IAAS) Services of (IaaS) components replace or supplement the internal infrastructure. The key decision factors for management in deciding to move to (IaaS) (outsourcing part of its infrastructure) and choosing the appropriate vendor are usually efficiency-related. There are various ways to break down(IaaS), but here is one way:
1)Connectivity
2) Network services and management
3)Compute services and management
4)Data storage
5)Security
Connectivity obviously refers to reliable access to the Internet and connectivity to associated systems and technologies, for instance, data storage to application servers. Examples of risks would be availability/downtime and speed of access.
Network services and management includes not only providing network capabilities but managing the network, monitoring the network and providing for efficient access through aspects such as load balancing. Examples of these risks scalability for new technologies or expanding the level of transactions, availability, secured transmissions, and the level of access (e.g., load balancing).
Compute services and management include appropriate resources such as core, processors, memory and managing the operating system (OS). Examples of the risks are availability (including system failure) and scalability.
There has been significant growth in data centers over the last few years, and data centers are becoming more sophisticated in the scope of services. Examples of the risks for data storage include the obvious: security of data, recovery, availability, and scalability.
The security and recovery issues are particularly important. Management should ensure that the data storage aspect of ( IaaS) can provide an appropriate level of physical and logical security and an appropriate recovery methodology to ensure a timely recovery if the data center is involved in a disaster.
B. Auditing Cloud computing framework in performing a risk assessment base on the components Software As A Services (SAAS)
Some of the key points in deciding to use (SaaS), or a particular vendor, are the complexity of the environment, the need to buy smaller pieces/modules, compatibility with existing systems and IT (including programming platform), ease of purchase, ease of integration, project management, scalable infrastructure, and billing/costs (metering). There are various ways to break down (SaaS), but here is one framework:
Business process modeling; involves the need to fit together workflow/business process structure, applications and data, organizational structure, and the integration of existing systems.
Evaluation and analysis; Evaluation and analysis includes process cost accounting, balanced scorecards, service level agreements (SLA), process warehouse and optimization.
Process execution; Process execution includes workflow control, applications integration (enterprise application integration [EAI]), service orchestration (service-oriented architecture [SOA]), populating databases/conversion and business activity monitoring (Yati Nurhajati , 2016).
3.9.2 The auditing aspects in Cloud Computing Environment
(Mohanty, Pattnaik, and Mund, 2014) propose the auditing aspects in Cloud Computing Environment are discussed as follows:
Auditing for regulation or compliance: A set of rules and principles are designed to govern or control the conduct for auditing. Compliance is concerned with legal issues, social activities, marketing strategies, and co-operative conduct. In every aspect of compliance, auditing is highly needed for maintenance of governing conduct. Auditing for regulations and compliance is also needed to restrict increasing complexity to comply with standards and to maintain the agreement for privacy laws.
Auditing for Risk and Governance: Governance is exceedingly concerned with the performance measurement & its strategies and risk management & its proper administration is also an important issue of an IT landscape. Different management laws and policies, priority & resources needed for the processes, alignment of customs are the basic functionalities of this category.
Auditing for security: Security issues are the concern for auditing. In the administration security, everyone should know the responsibilities of each designation. Technical auditing is also concerned with security issues. Physical resources are also in need of auditing of its priority, availability and cost complexity
Database Auditing: Database auditing is related with observing a cloud database so as database auditors and administrators can take care of the actions like accesses, modifications, updating issue of the database users. Database auditing is mainly query-based auditing. Queries are presented to the auditor one at a time; auditor checks if answering the query combining with past answers reveals the secret or forbidden information.
Service level agreements (SLAs) Auditing: In Business Service Provider (BSP) layer, SLAs is concerned about business-oriented agreement and laws. So in every level of agreements, auditing is highly required to maintain to proper usage of laws and terms & conditions.
Third Party Storage Auditing Service Provider: Considering Cloud data storage and database service, four different entities are there in Third Party Storage Auditing Service Provider, as shown in the [Figure:6]: The Cloud user, hosting machine in Cloud Service Provider (CSP), Cloud Database Server (CDS) and Third Party Auditing Service (TPAS). The cloud user, having a huge amount of data files which are to be stored in the cloud. The Cloud user interacts with hosting machine in CSP through Cloud-based user Interface and deploys various applications. They may also dynamically communicate with Cloud Database Server (CDS) for storing and maintenance of their data files. While deploying their various applications onto host machine, the users may rely on TPAS in assuring the confidentiality, availability, and integrity of their outsourced data to preserve the privacy of their own data. TPAS is capable of maintaining the privacy of user-data and can be trusted as it may review the cloud database storage reliability in support of the cloud user upon request. An unauthorized user can put a set of intelligent queries to the database server, of which none of the queries is forbidden. So the unauthorized user, combining the set of replies, may get the secret information which is forbidden. Hence TPAS has the responsibility to maintain the privacy of user data.
Figure No.6 Cloud Data Storage Scenario
Source: (framework for auditing in cloud computing environment)
3.9.3 Standard framework control to cloud computing environment
Control (compliance) frameworks have not yet been well adapted to cloud environments, although most (like COBIT, ITIL, and ISO 27001) are considered sufficient overall and a worthy starting point. Information assurance controls or Common Criteria have supported auditing by dictating minimal requirements for an audit. CSA, NIST, ISACA, and ENISA. These organizations have been leading the development of concepts and guidance sufficient to understand, protect, and trust cloud infrastructure. It is advisable to keep up with new publications from these organizations (and many others) to keep abreast of new thought and advice (Halpert, 2011).
3.10 Legal Concerns and Regulatory Compliance
Review and evaluate your company’s right and ability to obtain information from the vendor that may be necessary to support investigations. Your company may be required to perform e-discovery (electronic discovery) in support of litigation. Inability to produce applicable data may result in legal ramifications, as your company will be held legally responsible for your information, even if it’s being stored and processed by a third-party provider. Your company may also need to perform investigations for its own reasons (for example, to investigate inappropriate activities such as fraud or hacking attempts). An inability to access appropriate logging and other data will prevent you from performing your investigations, leaving you with no real recourse when those inappropriate activities occur. This step is most applicable to cloud computing.
Because cloud providers often comingle their customers’ data, especially logging data, it is critical that you receive a contractual commitment from your vendors to support investigations. Review the contract and ensure this is documented as a requirement, including details as to the kind of investigative support you may need (such as specific log information, data format requirements) and the required response time for requests. It is also important that the contract defines the responsibilities of both the cloud provider and your company related to e-discovery (for example, who is responsible for conducting the searches, for freezing data, for providing expert testimony, and so on). Review the vendor’s processes to ensure that a formal process is in place to cooperate with customer investigations and to handle subpoenas for information. If you find that the cloud provider is incapable of (or unwilling to) providing adequate support of investigations, your company may need to maintain copies of its data in-house. If this is the case, the costs of doing so will affect the benefits of the cloud relationship (Davis C., et al.,2011).
3.11 Determine whether appropriate governance processes are in place over the engagement of new cloud services by your company’s employees
Cloud computing makes it easy for business unit personnel to meet their needs without ever engaging corporate IT. Because most cloud services can be accessed via an Internet-connected browser, a business unit can engage a cloud vendor and outsource the systems and data related to one of their business processes without really having to tell anyone else. This has the potential to bypass all of the governance processes normally in place to ensure proper security of company data, interoperability of systems, appropriate support capabilities, and so on. This step is most applicable to cloud computing.
Review company policies to determine whether this topic has been addressed. Policies should be in place requiring company personnel to follow specific procedures when engaging vendors for this sort of service. If this policy exists, review it for adequacy. It should require that IT be engaged and that specific security and operational needs be addressed. Determine how employees are made aware of the policy. Also, determine how the policy is enforced. For example, if your company has a centralized procurement organization that must be engaged to sign contracts and pays invoices, you can use them as the gatekeeper for ensuring that proper procedures are followed for new engagements (Davis C., et al.,2011).
3.12 Review and evaluate your company’s processes for monitoring the quality of outsourced operations. Determine how compliance with SLAs and other contractual requirements are monitored
Although you have hopefully dictated expectations in your contract, unless you monitor for compliance with those expectations, you will have no way of knowing whether they’re being met. If those expectations are not met, the availability, efficiency, and effectiveness of your operations and the security of your systems and data can be impacted. This step is applicable to all forms of outsourcing (Davis C., et al .,2011).
Chapter Four The importance of Cloud computing for Accounting and Auditing
Introduction and background
Definition of cloud computing
Cloud computing characteristics
Deployment Model
Cloud computing principles
Cloud computing benefits
Cloud computing risks
Moving to the cloud
Cloud security guidance
The situation of cloud computing in Africa
Cloud computing in Egypt
‘
4. Chapter Four: The importance of Cloud computing for Accounting and Auditing
4.1 Introduction and Background
Recently, Cloud computing (CC) has widely been applied in several industrial fields such as Google, Facebook, Amazon, and (e-business, e-learning.. etc.) and is considered a new communication technique that combines multiple disciplines such as parallel computing, distributed computing, and grid computing. In return, it provides Virtualization, utility computing, and other multiple services for client enterprise (Omer K., et al .,2014).
Cloud Computing is a new model for hosting resources and provisioning of services to the consumers. It provides a convenient, on-demand access to a centralized shared pool of computing resources that can be deployed by a minimal management overhead and with a great efficiency. The term “Cloud Computing” sprang from the common practice of depicting the Internet in pictorial diagrams as a cloud Internet. Cloud Computing providers depend on the Internet as the intermediary communications medium leveraged to deliver their IT resources to their consumers on a pay-as-you-go basis. By using cloud computing consumers can be access resources directly through the Internet, from anywhere by using any Internet devices, and at any time without any technical or physical concerns (Farhan B., Sajjad H.,2011). NIST (National Institute of Standards and Technology) defines, Cloud Computing is on-demand access to a shared pool of computing resources. It is an all-inclusive solution in which all computing resources (hardware, software, networking, storage, and so on) are provided rapidly to the consumers (ZaighamM.,2011).
The remarkable development of cloud computing in recent years is increasingly sparking the interest of the Internet and IT users seeking to derive the greatest benefit from the services and applications available online via the web in a service-on-demand mode with per-usage billing. Cloud computing offers a new economic model for Information and Communications Technology (ICT) ‘ a model which heralds new modes of investment in, and operation of, IT resources.
With cloud computing, organizations, institutions, and companies no longer need to invest heavily in such resources, which are of necessity limited and require burdensome and costly internal management, having instead the option to migrate to a cloud model enabling them to purchase or lease resources online. This model frees them from internal management costs, the IT resources being administered by the cloud computing provider. The availability of online services also frees users from the need to acquire hardware by paying instead for the resources used. This model has already been adopted by many companies, particularly small and medium-sized firms and very small firms. Cloud computing also offers IT resource (hardware and software) modularity, with availability in terms of volume and time according to the customer’s requirements and at its request. In an economic context where companies are seeking to make the most from their investments and minimize operating costs, cloud computing is seen as the solution for tomorrow (Slaheddine M.,2012).
4.2 Definition of cloud computing
The US National Institute of Standards and Technology (NIST) defines cloud computing as ‘a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction, According to NIST, the cloud computing model comprises five essential characteristics, three service models, and four deployment models .
(Mell P., Grance T., 2011) defined Cloud Computing as” a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.
The difficulty in reaching a clear-cut definition of Cloud Computing may be attributed to either its origination from many different network architectures or due to the vast services that it provides.
(Halpert, B.,2011)The actual definition of cloud computing is frequently contested. Most will agree that any computing model that qualifies as cloud computing must at minimum have the following criteria:
Elasticity
Cloud computing is typified by its ability to rapidly scale the capacity of the provided service up or down with little to no interaction with the consumer.
Economics
With cloud computing services, the expectation is that the consumer is charged for the amount of time used on the resource. Cloud computing changes the computing barrier to entry for high-performance computing resources, by allowing consumers to use only what they need for the time in which they need it. In turn, this has allowed organizations to effectively respond to peak demand requirements without having excess compute resources sitting idle during dormant periods. Clouds can achieve this by distributing the load across multiple shared resources and relying on economies of scale.
Abstraction
The most significant change with cloud computing is that of abstraction, most cloud providers provide one or more service layers to their consumers. The operational aspect of the layers supporting the service is insulated from the customer. So, a Software as a Service (SaaS) customer will interact with the application itself, but not with the operating system or hardware of the respective cloud. This key difference allows organizations that do not have the necessary system administration skills or computer facilities to leverage enterprise applications hosted by others.
4.3 Cloud Computing Characteristics
When considering cloud computing, there is a need to be aware of the types of services that are offered, the way those services are delivered to those using the services, and the different types of people and groups that are involved with cloud services.
Cloud computing delivers computing software, platforms, and infrastructures as services based on pay-as-you-go models. Cloud service models can be deployed for on-demand storage and computing power in various ways: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). Cloud computing service models have been evolved during the past few years within a variety of domains using the ‘as-a-Service’ concept of cloud
Computing such as Business Integration-as-a-Service, Cloud-Based Analytics-as-a-Service (CLAaaS), Data-as-a-Service (DaaS) (Gholami A., Laure E.,2016).
Table 2. Categorization of Cloud Service Models and Features
Service Model Function Example
SaaS Allows consumers to run applications by virtualizing hardware on the resources of the cloud providers
Salesforce Customer
Relationship Management
(CRM)
PaaS Provides capability of deploying custom applications with their dependencies within an environment called a container Google App
Engine Heroku
IaaS Provides a hardware platform as a service such as virtual machines, processing, storage, networks and database services Amazon Elastic Compute
Cloud (EC2)
Source (Gholami A., Laure E.,2016)
4.4 Deployment Model
In addition to these service models, four deployments
have been added:
Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Private cloud: The cloud infrastructure is accessible for an organization only. It may be managed by the organization itself or a third party and can be internal or external.
Community cloud: A private cloud that is shared by several customers with similar security concerns and the same data and applications sensitivity.
Hybrid cloud: It merges more than one Cloud Computing model into a single, hybrid model; using a public cloud for hosting sites that must be published publically and containing uncritical data and using a private cloud for all the other sensitive data or services. This scenario is good for economic and business requirements (Hosam F., El-Sofany, et al.2012).
In addition to the NIST definition, there are other service models such as:
Hardware as a Service (HaaS): Contrarily to the SaaS and PaaS that provide applications and services to the customers, HaaS offers only the hardware.
Database as a Service (DaaS): the aim of a DaaS is to offer a database and the services allowing its management to avoid the complexity and running cost of a database if hosted in the own network of a company or organization (Hosam F., El-Sofany, et al.2012).
4.5 Cloud computing principles
(Das,2013) argues that cloud computing has five key principles:
Shared resources (including applications, processors, storage, and databases);
On-demand (users retrieve and use cloud information resources from the cloud);
Elasticity, flexibility, and scalability (clouds are receptive to user needs);
Networked access (wide accessibility); and
Metering use (involve payments and storage efficiency).
4.6 Cloud Computing Benefits
There are Some benefits of cloud computing which are listed below (Hussien A., Mohamed O.,2015):
Reduced Cost
There are a number of reasons to attribute cloud technology with lower costs. The billing model is paid as per usage; the infrastructure is not purchased thus lowering maintenance. Initial expense and recurring expenses are much lower than traditional computing.
Increased Storage
With the massive Infrastructure that is offered by Cloud providers today, storage & maintenance of large volumes of data is a reality. Sudden workload spikes are also managed effectively and efficiently since the cloud can scale dynamically.
Flexibility
This is an extremely important characteristic. With enterprises having to adapt, even more rapidly, to changing business conditions, speed to deliver is critical. Cloud computing stresses on getting applications to market very quickly, by using the most appropriate building blocks necessary for deployment.
4.7 Cloud computing risks
Although there are many benefits to cloud computing, it is not without its own challenges. Traditional computing models have permitted a high degree of control over compute resources. The sections below review the main topics of concern with an emphasis on their interpretation from a management point of view. They are not ordered by severity but rather represent specialists’ views regarding the major risks of cloud computing and the relevant mitigation practices.
4.7.1 Information security
As with any modern technology, information security remains a major concern in the adoption of cloud services. It is rated as the top threat in interviews with South African participants performed by (Carroll et al. 2011). ( ENISA, 2009a), in turn, finds that 43 out of 64 SMEs surveyed point to confidentiality of corporate data as a show stopper, with privacy mentioned by nearly a half. (Sultan,2011) Moreover, cites a survey of chief information officers carried out by the International Data Corporation (IDC) with almost 75% of respondents saying they were concerned about security.
On the one hand, the technology’s presence on the web and the massive concentration of data present a more attractive target for hackers (ENISA, 2009b). As (Kaufman,2009) explains, providers like Amazon and Microsoft, for example, have the capabilities to deflect and survive cyber-attacks that not all providers have. On the other hand, cloud defenses rely on economies of scale and hence cost efficiency and on the concentration of expertise in the provider. Moreover, the distributed nature of the cloud with data stored in multiple data centers limits damage due to such attacks (Biswas, 2011a). Therefore it is not necessarily a disadvantage for companies to perform activities on the web. As ( Biswas,2011a) stresses, an in-house IT department is not necessarily more secure than a cloud-based offering as it is still connected to the Internet and thus susceptible to hacking attacks. Nevertheless, customers should ensure before signing up for a service that the security that the provider offers meets their requirements (OneStopClick, 2011). This issue is further heightened in the case where a cloud offering involves several different providers (i.e. a cloud provider outsourcing activities to another provider without necessarily informing the client) with the resulting product being as strong as its least secure provider.
4.7.2 Privileged user access
As (Heiser and Nicolett,2008) point out, the processing of sensitive data outside the premises of an enterprise bypasses the ‘physical, logical and personnel controls’ that an in-house IT department exerts. The concept of the cloud may, therefore, become misleading as customers forget that their data is ultimately stored somewhere in a physical environment (Popovic & Hocenski, 2010). This brings us to the risk of a malicious insider who may cause brand damage, and financial and productivity losses to the customer (Cloud Security Alliance [CSA], 2010). Customers are therefore advised to require information on the hiring and oversight of privileged cloud administrators (Heiser and Nicolett, 2008).
CSA (2010) reviews some of the top threats in this category, namely account, and credentials hijacking. If an attacker manages to steal a customer’s credentials they will be able to access their cloud services, track their activities, manipulate their data, and redirect visitors to illegitimate websites, which could lead to damage to reputation and financial loss, and be the base for subsequent attacks. The remediation solutions revolve mainly around policy, such as a strong authentication process, no shared accounts, and a proper understanding of the service level agreements (SLA). Experts advise on the use of the least privilege principle (CSA, 2011; ENISA, 2009b). ‘This principle maintains that an individual, process, or another type of entity should be given the minimum privileges and resources for the minimum period of time required to complete a task’ (CSA, 2011). Moreover, the same person should not have access to more than one related function (CSA, 2011). This opens the question of how the accounts with the highest level of privilege are authenticated and managed (ENISA, 2009b).
4.7.3 Data Evacuation
In cloud environments, data evacuation can be a significant concern. Data evacuation focuses on how sensitive information is cleared from physical storage due to the suspension or deletion of a consumer’s resources. This might be a table in a database, a virtual disk on a Storage Area Network (SAN), or virtual memory on a suspended disk. In the highly elastic world of cloud computing, memory is usually de-allocated, but not cleared. So a virtual machine containing sensitive information wouldn’t be zeroed out prior to deletion, but rather its disk space would be released back to the SAN as is. Depending on the consumer’s requirement regarding data security, this might be a point of concern. Consumers should discuss this requirement if applicable with their provider. In instances where providers do not have advanced capabilities, the consumer should employ their own controls, such as encryption, when possible( Halpert, B.2011).
4.7.4 Investigative support
As ( Cunningham P., 2009) notes, the pretrial collection of electronic evidence in a lawsuit, known as e-discovery, assumes that an enterprise knows exactly where the data are located and how they are backed up and secured. It also assumes that the enterprise has the ability to physically examine storage media for deleted files, for example. When the enterprise stores its data on the cloud, it has little to no visibility to the storage and backup processes of the provider or the physical storage media themselves.
Heiser and Nicolett (2008) and that a single storage device may contain data and logging from multiple customers which pose challenges to understanding the access and deletion of files, and further from a privacy point of view. The data may also be located in different, often changing, data centers. Moreover, conducting a forensic investigation even on an enterprise’s own infrastructure is difficult, time-consuming and expensive.
If the enterprise relies on cloud services for the processing of business records or anticipates the need for investigation it has to factor in the inability or unwillingness of the provider to support it (Heiser and Nicolett, 2008). If the customer is unable to obtain a contractual agreement for the support of certain investigation activities and evidence that such was supported in the past, then they will probably not be supported in the future (Heiser and Nicolett, 2008).
4.7.5 Availability and disaster recovery
Availability of cloud services, especially for critical business processes is essential. If you are an online retailer whose retail platform is on a cloud, its failure can have serious repercussions to your business (Prakash, 2011). Heiser and Nicolett (2008) advise that any enterprise wishing to outsource critical business processes to the cloud should define, together with the provider, an SLA for the availability of service for critical business processes.
As Sultan (2011) points out, Salesforce.com was unavailable for 6 h in February 2008, followed by Amazon’s S3 and EC2 clouds only several days later. Amazon’s S3 was unavailable again for 8 h later that year. The list of similar accidents extends to more recent years as well with the multi-day failure of Amazon’s EC2 in April 2011. As ENISA’s (2009a) survey shows, 28 out of 66 SMEs consider the availability of service and data as an issue of critical importance. On the other hand, the availability of service in many cases, and in particular with respect to SMEs, surpasses the availability that an in-house IT department can maintain.
Closely related is the issue of disaster recovery. In the interviews of Carroll et al. (2011), it receives 66.7% of the votes as an area of critical importance and ranks second after information security. From another perspective, ENISA (2009a) finds that 52.8% of SMEs cite business continuity and disaster recovery capabilities as a driver for a possible engagement in cloud computing. It is therefore important for businesses to require information on what happens to their data in case of disaster and how long the recovery process lasts (Prakash, 2011).
4.7.6 Provider lock-in and long-term viability
As Sultan (2011) explains, many cloud providers use proprietary formats for application programming interfaces (APIs), data import and export, the storage of server images for disaster recovery, etc. As the number of providers grows, the portability and interoperability concerns will become even greater. Such concerns are further exacerbated by possible provider failures. Related, therefore, is the issue of long-term viability considering the implications of the potential bankruptcy of the provider or its acquisition by another company. (Heiser and Nicolett, 2008). Customers should ensure that the SLA covers such scenarios and that their data will be available and they will have the ability to transfer it to a replacement application or another cloud provider (Heiser and Nicolett, 2008).
(Scheier,2009) gives several examples of failures such as those of web application development provider Coghead and online storage facilities The Linkup and Up-line. Even though Coghead’s intellectual property was purchased by enterprise software developer SAP, Coghead’s customers were given less than three months to retrieve all their data and applications. (Scheier,2009) proposes several steps to mitigate the effect of provider failure. He suggests that customers should inspect providers by performing checks on their revenues, profitability, a number of customers, etc. as they would with any other vendor. They should also regularly back up their data and applications on local servers which require maintaining local storage capacity and leads to the issue of application and data portability again. Customers should have contingency plans for data and application porting and enquire whether the provider offers technical support in such scenarios.
4.7.7 Data Residency
Different countries and regions have different requirements regarding how its citizens’ information should be handled. In some areas, such as the European Union (EU), there are specific requirements regarding protection of personally identifiable information (PII) of EU residents. In other areas, such as the United States (US), there are directives regarding protected health information (PHI), such as the Health Insurance Portability and Accountability Act (HIPAA). The challenge is that without knowing where all the cloud provider’s assets reside, it is difficult to know which legislation the consumer needs to comply. Furthermore, if the cloud provider has multiple centers worldwide, in many instances it is impossible to tell where in the world a particular consumer data set might be at any one point in time. Cloud consumers should consult with their providers regarding the countries in which they operate, and if possible restrict them to a subset that is congruent with their security and compliance requirements ( Halpert, B.,2011).
4.8 Moving to the Cloud
Migrating to cloud computing is not a trivial task. The cloud is a different model that both techniques and nontechnical are not used to working with. Therefore, organizations should be well prepared for this shift. As illustrated in Figure 7, successful migration process should contain the following steps:
‘ Education: Early adopters should first learn the basics of cloud computing. Many workshops, conferences, magazines, forums, and case studies are now available to give beginners (both IT and non-IT practitioners) materials and information needed to understand this new paradigm.
‘ Needs Assessment: Cloud computing is by no means a silver bullet but might be a way to help businesses overcome the limitations of on-premises solutions. Projects should not be driven by the hype; rather, organizations should know exactly why they are moving to cloud computing and what is expected from the switch. It is important that implementers know which parts of their data centers should migrate to the cloud. It is equally important that they know if this migration is a strategic or tactical decision.
‘ Risk Assessment: As described in the ‘Cons’ section, cloud computing is not a risk-free technology. Adopters should analyze the pros and cons of utilizing cloud computing versus on-premises model in reference to their needs to make sure that risks do not outweigh the benefits.
‘ Start Small: Implementers should not ship all IT projects to the cloud at once’it is not an all-or-nothing decision. Rather, they should start with one small project like those used by small offices/departments. Implementers will need to learn how to use resources and services of selected provider(s). Developers should learn provider’s APIs to allow their applications to dynamically scale up or down their usage in accordance with actual needs. Administrators should know how to manage and monitor used services. In practice, the first implantation will come out with a list of lessons learned that can be usefully applied to future projects. This strategy will help organizations get hands-on experience as well as minimize risks associated with the decision to adopt a new technology.
‘ Follow-up: The purpose of this phase is to improve the over- all quality of implemented projects. Organizations should assess their projects to decide whether to keep on using cloud option or not. If adopters decide to retain cloud computing, they should continuously review their implementations and decide which parts should stay in the cloud and which should not. During this phase, new cloud projects may be implemented, more data may move to the cloud, and some projects/data may move back from the cloud (Qusay F.,2011).
Figure No. 7 Cloud Computing Migration Steps
4.9 Cloud Security Guidance
As customers transition their applications and data to the cloud, it is critical for them to maintain, or preferably surpass, the level of security they had in their traditional IT environment.
This section provides a prescriptive series of steps for cloud customers to evaluate and manage the security of their use of cloud services, with the goal of mitigating risk and delivering an appropriate level of support. Some of the following steps related to audit will be discussed in detail below:
1. Ensure effective governance, risk and compliance processes exist
2. Audit operational and business processes
3. Manage people, roles, and identities
4. Ensure proper protection of data and information
5. Enforce privacy policies
6. Assess the security provisions for cloud applications
7. Ensure cloud networks and connections are secure
8. Evaluate security controls on physical infrastructure and facilities
9. Manage security terms in the cloud service agreement
10. Understand the security requirements of the exit process
Requirements and best practices are highlighted for each step. In addition, each step takes into account the realities of today’s cloud computing landscape and postulates how this space is likely to evolve in the future, including the important role that standards will play to improve interoperability and portability across providers (Claude B., et al.,2015).
4.9.1 Step 2: Audit operational & business processes
Companies understand the importance of auditing the compliance of IT systems, which host their applications and data, to ensure compliance with their corporate, industry or government requirements and policies. As a baseline, customers should expect to see a report of the cloud provider’s operations by independent auditors. The level of access to essential audit information is a key consideration of contracts and SLA terms with any cloud provider. As part of any terms, cloud providers should offer timely access to audit events, log and report information relevant to a customer’s specific data or applications.
Security tends to be a significant element of any compliance framework. There are three significant areas where the consideration of security methods for cloud computing are of particular interest to cloud service customers and to auditors (Claude B., et al.,2015):
Understanding the internal control environment of a cloud provider, including risks, controls, and other governance issues when that environment touches the provision of cloud services.
Access to the corporate audit trail, including work flow and authorization, when the audit trail spans cloud services.
Assurance of the facilities for management and control of cloud services and how such facilities are secured.
Understanding the internal control environment of a cloud service provider
Using cloud services creates the need for appropriate auditing of the activities of persons employed by the provider, the customer, or the customer’s partners to ensure that the security controls meet the requirements of the customer. Customers should expect to see audit information relating to any cloud service provider they plan to use. There are several standards that can be used as the basis for auditing a provider, such as the International Standards Organization (ISO 27000) series. These standards provide the basis for assuring customers that proper controls are in place within the provider organization.
Key controls for cloud services include (Claude B., et al.,2015):
Ensuring isolation of customer applications and customer data in shared, multi-tenant environments,
Providing protection of customer assets from unauthorized access by the provider’s staff.
Auditors may be employed by the customer or by the provider – but the key element is that they should be independent. Auditors require access to the policies and procedures of a cloud service provider which relate to security controls. Auditors also require access to logs and records that show whether the policies and procedures are being followed correctly and in some cases, the auditors may require specific testing to demonstrate compliance with the prescribed policies and procedures.
Security and authentication technologies, allied to event logging, in the cloud computing environment can help auditors as they deal with issues related to workflow – were those who entered, approved, changed or otherwise touched data authorized to do so.
Access to the corporate audit trail
It is vital for cloud service customers to have appropriate access to cloud provider events, logs and audit trails that prove enforcement of provider security controls. Auditors need to assure cloud customers that all the necessary information is being logged and stored appropriately by the cloud service provider, including authentication, authorization and management information relating to the use of particular applications and data against all security and compliance policies established by the provider or customer.
For complete insight into security controls, as they relate to the customer’s applications and data, mechanisms for the routine flow of audit information from the provider to the customer are recommended. This flow may include secure logs and reports sent on an agreed-upon schedule. There should be more timely notification of any exceptional security alerts, events or incidents – and incident management processes should be documented and audited. Any audit data should have the necessary associated information to enable forensic analysis to understand how any particular incident occurred, what assets were compromised and what policies, procedures, and technologies need to be changed to prevent recurrence, along with any additional security controls that need to be established.
Ideally, there should be automated, standards-based, access (through APIs or Web services) to all of these audit facilities, to ensure timely availability of required data and to remove the costs associated with the human processing of requests for information.
Assurance of the facilities for management and control of cloud services
In addition to the cloud services themselves, providers generally provide customers with self-service facilities to manage and monitor the usage of their cloud services and associated assets. These facilities may include service catalogs, subscription services, payment processes, the provision of streams of operational event data and logs, usage metering data, facilities for configuring services including adding and removing user identities and the management of authorizations.
These facilities are often more sensitive in security terms than the services and applications to which they apply, since the potential for abuse and damage may be higher. A security audit must extend to these facilities as well as to the main services of the provider.
Auditing is essential
The security audit of cloud service providers is an essential aspect of the security considerations for cloud service customers, typically as part of a certification process. Audits should be carried out by appropriately skilled staff typically belonging to an independent auditing organization. Security audits should be carried out on the basis of one of the established standards for security controls. Customers need to check that the sets of controls in place meet their security requirements.
There is also a need to ensure proper integration of the cloud service provider’s reporting and logging facilities with the customer’s systems, so that appropriate operational and business data flows on a timely basis to enable customers to manage their use of cloud services (Claude B., et al.,2015).
4.9.2 Step 4: Ensure proper protection of data and information
Data is at the core of IT security concerns for any organization, whatever the form of infrastructure that is used. Cloud computing does not change this but brings an added focus because of the distributed nature of the cloud computing infrastructure and the shared responsibilities that it involves. Security considerations apply both to data at rest (held on some form of the storage system) and also to data in motion (being transferred over some form of communication link), both of which may need particular consideration when using cloud services.
Essentially, the questions relating to data for cloud computing are about various forms of risk: risk of theft or unauthorized disclosure of data, the risk of tampering or unauthorized modification of data, risk of loss or of unavailability of data. In the cloud, ‘data assets” may also include application programs or machine images, which can present the same risks as the contents of databases or data files.
The general approaches to the security of data are well described in specifications such as the ISO 27002 standard – and these control-oriented approaches apply to the use of cloud services, with some additional cloud-specific considerations as described in the ISO 27017 standard. Security controls described in ISO 27002 highlight the general features that need to be addressed, to which specific techniques can then be applied.
The category of the cloud service is very likely to affect who is responsible for handling particular security controls.
For IaaS, more responsibility is likely to be with the customer (e.g., for encrypting data stored on a cloud storage device)
For SaaS, more responsibility is likely to be the provider, since neither the stored data nor the application code is directly visible or controllable by the customer.
PaaS cloud services present unique challenges in that responsibility is likely shared between the customer and provider. It is important to understand how each service being utilized within the PaaS environment handles data security, including encryption as well as log file handling and administrative access. In addition, the customer needs to know what obligations it retains and what are the available features and configuration of the PaaS service that can facilitate data security.
4.10 The situation of cloud computing in Africa
In Africa, several cloud computing projects are already underway or under study. Of these projects, the most solid is the result of partnerships between international players and African economic operators.
The benefits to be derived from this advanced IT service appear to have convinced African players, and the indications are that the characteristics of cloud computing would be very appropriate to the African context. This would explain the interest shown by the various stakeholders, each of which is seeking to tap into those benefits as speedily as possible and get in at the beginning, in spite of the technical shortcomings and regulatory difficulties associated with the deployment of cloud computing technology.
The account also has to be taken, of course, of the circumstances specific to Africa, where the human, technical and financial resources that are available too, or within easy reach of, the African players often fall short of the requirements imposed by this new technology. It is therefore essential to implement training and institutional strengthening programs within African countries.
In an article recently published in the journal ‘Les Afriques’, Rapha”l Nkolwoudou, Associate Counsel Azaniaway Consulting, explains that cloud computing is suited to the African continent by reason of the concentration of infrastructures, availability of IT competencies and ease of implementation. There is, however, one prerequisite, which is to speed up the development of electronic communication infrastructures. He adds that among the specific benefits of cloud computing in Africa, two, in particular, are liable to make a significant contribution to reducing the digital divide, namely:
the ability to have immediate access to the latest innovations;
the possibility for an organization to do away with heavy investment in infrastructure, particularly where computation centers are concerned, given the unreliability of the electric power supply in Africa ( Slaheddine M.,2012).
4.11 Cloud Computing in Egypt
The national ICT strategy developed for Egypt (2012-2017) has identified a number of primary directions, one of them is an initiative for private cloud computing (MCIT, 2012). This is coupled and supported by one of the pillars of the strategy that is building an online information infrastructure enabling access to a wealth of digital content that includes sectors such as education, health, justice, culture and tourism; all with concrete implications and prospects for an agile and competitive SMEs sector once the infrastructure is completed and fully deployed. The national ICT strategy is formulated with a focus on a variety of policies addressing among its long list the notion of cloud computing. The policies are supposed to represent standards that should apply to all projects, programs, and activities implemented by the ICT sector. The strategy includes a list of 40 programs and is divided into 120 different projects all targeting the improvement and scalability of the impact, efficiency, and effectiveness of ICT in the economy. The policies include, but are not limited to; cloud computing, e-Commerce, open-source software, and educational reform using ICTs (MCIT, 2012).
It has to be made clear that the development of the SMEs sector is invaluable a national priority given the demographics of the society and the role a vibrant, agile and active private sector can play in the economy. Such effort needs to be developed collectively between the different stakeholders in the community as indicated before, this is imperative for its success. An integral element in the process is the proper introduction, adoption, diffusion, and adaptation of ICTs as well as availing the required human capacities required. The support of the government as an enabler and the expansion of the use of ICTs in the private sector and primarily SMEs will positively impact their efficiency. This can be realized through the maximization of the use of ICTs among SMEs and the development of related information systems (IS) and tools and applications such as mobile applications and more.
There are multiple efforts in Egypt that are developing to provide the proper environment to enable a cloud ecosystem. For example, IBM is building a cloud ecosystem in Cairo by providing computing expertise to 100 Egyptian software companies to help drive innovation and develop skills in the region. Such initiatives are becoming increasingly important since one of the major deterrents for the proper diffusion of cloud computing especially among SMEs is the awareness and knowledge acquired by management and staff related to cloud computing. IBM’s initiative is developed in collaboration with Egypt’s Information Technology Industry Development Agency (ITIDA) and the plan for the ecosystem is to help make Egypt become the center of cloud computing in the MENA region. In many ways, the IBM initiative is an important step towards stimulating the growth of cloud computing applications, expertise, know-how, promoting the culture, and the use of cloud computing in the local market. The initiative aims to support local software companies in acquiring skills and expertise in cloud computing as a source of innovation in the region. The objective is to help SMEs operating in the field of ICT expand their business base and enter new regional and international markets.
To date, the spending on public cloud services in Egypt is lower than in other countries in the region. Cloud computing is important for SMEs according to Amr Talaat, general manager of IBM Egypt where he believes that ‘it will enable SMEs to grow without large capital costs, it is a real bonus for Egypt’s fast-growing entrepreneurial clusters, which often lack funding or physical IT infrastructure.’ ITIDA has been consistently working to provide support for SMEs in the IT sector to enable them to expand their offerings into new markets and help grow the economy by focusing on emerging ICT trends such as cloud computing and big data analytics. For example, the IBM cloud computing initiative is helping to enable SMEs to use data and apply analytics on a massive scale, privately and securely. There are already 20 SMEs benefiting from the initiative by developing and testing cloud solutions and offering them through the cloud outreaching a larger global audience. In the context of SMEs, they always want easy to use, reliable, secure, sustainable and scalable applications that can help them become competitive as well as grow their business; in that sense, cloud computing could offer an ideal proposition ( Kamal S., Abousief M., 2015).
‘
Chapter Five The Empirical Study’s Finding, Results and Conclusion
Research Design and Methodology
Sample selection
Results
Summary and Conclusion
Recommendations
‘
5.Chapter Five: The Empirical Study’s Finding, Results and Conclusion
5.1Research Design and Methodology
Research methodology is the most important part of any thesis because it explains in details and shows all the tests and measurements done and its also explain how the data needed in this thesis is collected and gathered . the research methodology in general arranges logically all the guidelines for the data collection and the data analysis and then based on that , reaches for the results and conclusions for this thesis.
5.2 sample selection
The main aim of this thesis is to examine the role and responsibility of the external auditor towards the cloud computing activity. The hypotheses derived are mentioned below:
“H” _”\0\1″ There is a relationship between cloud computing activity and current skills, knowledge and qualification of Egyptian auditors in Egypt.
“H” _”\0\2″ There are impacts of cloud computing on the audit report.
“H” _”\0\3″ There are impacts of cloud computing on the risks of the audit process in Egypt.
“H” _”\04″ Cloud computing requires sufficient qualifications for auditors in the use of new technological tools used in the field of accounting.
The study population includes Central Auditing Organization, Deloitte Cairo, Baker Tilly Wahid Abdel Ghaffar & Co., Blom Bank and University teaching staff. To cover all perspectives the providers, users, and auditing.
Table 3 . Sample from Each Sector
Group Name Population
(N) Sample
(n) Sample fraction
(n”N)”100
A Baker till wag
(Waheed Abd Alghfar) 157 39 (39”157)”100=24.84%
Delioit 350 52 (52”350)”100=14.86%
B Bloom Bank 6 6 (6”6)”100=100%
C University teaching Staff 7 4 (4”7)”100=51.142%
D Central Auditing Organization 996 85 (85”996)”100=8.53%
n=(z_(1-(‘ )/2)^2*p(1-p))/d^2
Where
n=Required simple Size
Z= Standard Normal Value at confidence level (1- ‘)
Which ‘2 when confidence level is 95%
P= Estimated Population Proportion
d= Observed error =( true ‘ estimated )
n=(‘(2)’^2*1/2*1/2)/'(0.07)’^2 =204 distributed
Collected 185
Percentage of responds =95%
5.3Results
Frequency Table
Group
Frequency Percent Valid Percent Cumulative Percent
Valid Accounting 91 48.9 48.9 48.9
Bank 6 3.2 3.2 52.2
Central Auditing Organization 85 45.7 45.7 97.8
University teaching staff 4 2.2 2.2 100.0
Total 186 100.0 100.0
Gender
Frequency Percent Valid Percent Cumulative Percent
Valid Male 69 37.1 68.3 68.3
Female 32 17.2 31.7 100.0
Total 101 54.3 100.0
Missing System 85 45.7
Total 186 100.0
Name of the place of work:
Frequency Percent Valid Percent Cumulative Percent
Valid Waheed Abd Alghfar 39 21.0 21.0 21.0
Delioit 52 28.0 28.0 48.9
Central Auditing Organization 85 45.7 45.7 94.6
Bloom Bank 6 3.2 3.2 97.8
University teaching staff 4 2.2 2.2 100.0
Total 186 100.0 100.0
a1.Career status
Frequency Percent Valid Percent Cumulative Percent
Valid Financial Manager 6 3.2 3.2 3.2
External Auditor CPA Firm 91 48.9 48.9 52.2
University teaching staff 4 2.2 2.2 54.3
Auditor of the Central Auditing Organization 85 45.7 45.7 100.0
Total 186 100.0 100.0
a2.Degrees obtained
Frequency Percent Valid Percent Cumulative Percent
Valid Bachelor of undergraduate degree 159 85.5 85.5 85.5
Postgraduate Diploma 17 9.1 9.1 94.6
M.A. 5 2.7 2.7 97.3
Ph.D. 5 2.7 2.7 100.0
Total 186 100.0 100.0
a3.Membership of professional organizations
Frequency Percent Valid Percent Cumulative Percent
Valid Local 62 33.3 93.9 93.9
International 4 2.2 6.1 100.0
Total 66 35.5 100.0
Missing System 120 64.5
Total 186 100.0
a4.Years of experience in your field
Frequency Percent Valid Percent Cumulative Percent
Valid Less than 10 years 96 51.6 51.6 51.6
From 10 years to less than 20 years 60 32.3 32.3 83.9
20 years and above 30 16.1 16.1 100.0
Total 186 100.0 100.0
‘
a5.1 The nature of the activity of the company -Commercial
Frequency Percent Valid Percent Cumulative Percent
Valid Commercial 60 32.3 100.0 100.0
Missing System 126 67.7
Total 186 100.0
a5.2 The nature of the activity of the company -Industrial
Frequency Percent Valid Percent Cumulative Percent
Valid Industrial 40 21.5 100.0 100.0
Missing System 146 78.5
Total 186 100.0
a5.3 The nature of the activity of the company -Service
Frequency Percent Valid Percent Cumulative Percent
Valid Service 72 38.7 100.0 100.0
Missing System 114 61.3
Total 186 100.0
a5.4 The nature of the activity of the company -Other
Frequency Percent Valid Percent Cumulative Percent
Valid Others 37 19.9 100.0 100.0
Missing System 149 80.1
Total 186 100.0
q1.1 The usual method of auditing can be followed by companies that are using cloud computing.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 4 2.2 2.2 2.2
Disagree 22 11.8 11.8 14.0
Neutral 61 32.8 32.8 46.8
Agree 67 36.0 36.0 82.8
Strongly Agree 32 17.2 17.2 100.0
Total 186 100.0 100.0
q1.2 Cloud computing will save a lot on Egyptian companies of different sizes (labor – time – money).
Frequency Percent Valid Percent Cumulative Percent
Valid Disagree 9 4.8 4.8 4.8
Neutral 55 29.6 29.6 34.4
Agree 73 39.2 39.2 73.7
Strongly Agree 49 26.3 26.3 100.0
Total 186 100.0 100.0
q1.3 The role of the education government, which should extend to services that address the needs of individuals and are based on cloud computing, is important.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Disagree 6 3.2 3.2 3.8
Neutral 30 16.1 16.1 19.9
Agree 80 43.0 43.0 62.9
Strongly Agree 69 37.1 37.1 100.0
Total 186 100.0 100.0
q1.4 Legislation in Egypt should be considered to enact laws governing to use cloud computing.
Frequency Percent Valid Percent Cumulative Percent
Valid Disagree 7 3.8 3.8 3.8
Neutral 20 10.8 10.8 14.5
Agree 76 40.9 40.9 55.4
Strongly Agree 83 44.6 44.6 100.0
Total 186 100.0 100.0
q 1.5 Reduction of purchase prices of equipment, changing the license system of the application where the service is made on the basis of subscription can attract more companies to use.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 3 1.6 1.6 1.6
Disagree 8 4.3 4.3 5.9
Neutral 42 22.6 22.6 28.5
Agree 91 48.9 48.9 77.4
Strongly Agree 42 22.6 22.6 100.0
Total 186 100.0 100.0
q1.6 Cloud computing and the virtual environment in general have an important and effective role in the development of Green IT.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Disagree 1 .5 .5 1.1
Neutral 24 12.9 12.9 14.0
Agree 69 37.1 37.1 51.1
Strongly Agree 91 48.9 48.9 100.0
Total 186 100.0 100.0
q1.7 Helping companies in building the basic infrastructure of cloud computing by first studying their needs, then providing a road map and best practices, assuring them that the new system can save more than 50% of the cost of traditional storage.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Disagree 4 2.2 2.2 2.7
Neutral 27 14.5 14.5 17.2
Agree 78 41.9 41.9 59.1
Strongly Agree 76 40.9 40.9 100.0
Total 186 100.0 100.0
q1.8 Provide a cloud computing infrastructure, including the development and improvement of the communications network so that it is ready to be used and accommodate the amount of communications in one.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Disagree 2 1.1 1.1 1.6
Neutral 19 10.2 10.2 11.8
Agree 54 29.0 29.0 40.9
Strongly Agree 110 59.1 59.1 100.0
Total 186 100.0 100.0
q1.9There are challenges in selecting the model required for cloud adoption, whether public, private or mixed.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 2 1.1 1.1 1.1
Disagree 6 3.2 3.2 4.3
Neutral 31 16.7 16.7 21.0
Agree 71 38.2 38.2 59.1
Strongly Agree 76 40.9 40.9 100.0
Total 186 100.0 100.0
q1.10 Do not rely on the place or tool (Computer – Mobil) you can enter the cloud from anywhere in the world only need to Internet service is one of the most important features of the cloud.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Disagree 6 3.2 3.2 3.8
Neutral 35 18.8 18.8 22.6
Agree 48 25.8 25.8 48.4
Strongly Agree 96 51.6 51.6 100.0
Total 186 100.0 100.0
q2.1The audit report has an impact on the use of cloud computing.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 5 2.7 2.7 2.7
Disagree 17 9.1 9.1 11.8
Neutral 36 19.4 19.4 31.2
Agree 93 50.0 50.0 81.2
Strongly Agree 35 18.8 18.8 100.0
Total 186 100.0 100.0
q2.2 There is insufficient evidence in the electronic cloud for the external auditor to audit the companies used and prepare the audit report.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 3 1.6 1.6 1.6
Disagree 23 12.4 12.4 14.0
Neutral 56 30.1 30.1 44.1
Agree 83 44.6 44.6 88.7
Strongly Agree 21 11.3 11.3 100.0
Total 186 100.0 100.0
q3.1There are risks of using cloud computing in Egypt.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 2 1.1 1.1 1.1
Disagree 15 8.1 8.1 9.1
Neutral 26 14.0 14.0 23.1
Agree 51 27.4 27.4 50.5
Strongly Agree 92 49.5 49.5 100.0
Total 186 100.0 100.0
q3.2 Egypt can face the potential risks of cloud computing.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 8 4.3 4.3 4.3
Disagree 39 21.0 21.2 25.5
Neutral 79 42.5 42.9 68.5
Agree 47 25.3 25.5 94.0
Strongly Agree 11 5.9 6.0 100.0
Total 184 98.9 100.0
Missing System 2 1.1
Total 186 100.0
q3.3 Storage of information on cloud computing can be trusted.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 4 2.2 2.2 2.2
Disagree 38 20.4 20.4 22.6
Neutral 62 33.3 33.3 55.9
Agree 61 32.8 32.8 88.7
Strongly Agree 21 11.3 11.3 100.0
Total 186 100.0 100.0
q3.4There is a possibility to move to the cloud in a simple and smooth
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 4 2.2 2.2 2.2
Disagree 13 7.0 7.0 9.1
Neutral 77 41.4 41.4 50.5
Agree 68 36.6 36.6 87.1
Strongly Agree 24 12.9 12.9 100.0
Total 186 100.0 100.0
q3.5 Lack of auditing standards for cloud computing leads to corporate theft and bankruptcy.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 11 5.9 5.9 5.9
Disagree 15 8.1 8.1 14.0
Neutral 40 21.5 21.5 35.5
Agree 56 30.1 30.1 65.6
Strongly Agree 64 34.4 34.4 100.0
Total 186 100.0 100.0
q3.6 Legal coverage of e-commerce transactions that are an integral part of cloud computing should be available.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Neutral 11 5.9 5.9 6.5
Agree 84 45.2 45.2 51.6
Strongly Agree 90 48.4 48.4 100.0
Total 186 100.0 100.0
q3.7 Input flow methods must be adopted, where the files are checked before being stored by the company and that there are no viruses.
Frequency Percent Valid Percent Cumulative Percent
Valid Disagree 4 2.2 2.2 2.2
Neutral 22 11.8 11.8 14.0
Agree 65 34.9 34.9 48.9
Strongly Agree 95 51.1 51.1 100.0
Total 186 100.0 100.0
q3.8 An additional copy of the data shall be made and kept in a safe and appropriate place in order to protect the saved information.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Disagree 2 1.1 1.1 1.6
Neutral 18 9.7 9.7 11.3
Agree 52 28.0 28.0 39.2
Strongly Agree 113 60.8 60.8 100.0
Total 186 100.0 100.0
q3.9 Passwords must be specified for entering and changing to log in periodically.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Disagree 2 1.1 1.1 1.6
Neutral 23 12.4 12.4 14.0
Agree 51 27.4 27.4 41.4
Strongly Agree 109 58.6 58.6 100.0
Total 186 100.0 100.0
q3.10 There are challenges in the service policy whether it is programming or infrastructure.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 2 1.1 1.1 1.1
Disagree 6 3.2 3.2 4.3
Neutral 29 15.6 15.6 19.9
Agree 63 33.9 33.9 53.8
Strongly Agree 86 46.2 46.2 100.0
Total 186 100.0 100.0
q3.11 Information piracy is one of the most important challenges facing cloud users.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 1 .5 .5 .5
Disagree 4 2.2 2.2 2.7
Neutral 24 12.9 12.9 15.6
Agree 43 23.1 23.1 38.7
Strongly Agree 114 61.3 61.3 100.0
Total 186 100.0 100.0
q4.1 External Auditor in Egypt has sufficient qualifications to review cloud computing.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 3 1.6 1.6 1.6
Disagree 29 15.6 15.6 17.2
Neutral 75 40.3 40.3 57.5
Agree 50 26.9 26.9 84.4
Strongly Agree 29 15.6 15.6 100.0
Total 186 100.0 100.0
q4.2 There is a relationship between the activities of the cloud and the skills of the external auditor.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 3 1.6 1.6 1.6
Disagree 11 5.9 5.9 7.5
Neutral 58 31.2 31.2 38.7
Agree 95 51.1 51.1 89.8
Strongly Agree 19 10.2 10.2 100.0
Total 186 100.0 100.0
q4.3 The External Auditor may audit the financial statements of companies using cloud computing.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 4 2.2 2.2 2.2
Disagree 11 5.9 5.9 8.1
Neutral 76 40.9 40.9 48.9
Agree 79 42.5 42.5 91.4
Strongly Agree 16 8.6 8.6 100.0
Total 186 100.0 100.0
q4.4 There are special requirements for auditing on cloud computing.
Frequency Percent Valid Percent Cumulative Percent
Valid Disagree 7 3.8 3.8 3.8
Neutral 28 15.1 15.1 18.8
Agree 104 55.9 55.9 74.7
Strongly Agree 47 25.3 25.3 100.0
Total 186 100.0 100.0
q4.5The development of human resources in the field of cloud computing should be developed .
Frequency Percent Valid Percent Cumulative Percent
Valid Disagree 3 1.6 1.6 1.6
Neutral 21 11.3 11.3 12.9
Agree 93 50.0 50.0 62.9
Strongly Agree 69 37.1 37.1 100.0
Total 186 100.0 100.0
q4.6 The need for new mindsets to accommodate this kind of change.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 2 1.1 1.1 1.1
Disagree 12 6.5 6.5 7.5
Neutral 34 18.3 18.3 25.8
Agree 84 45.2 45.2 71.0
Strongly Agree 54 29.0 29.0 100.0
Total 186 100.0 100.0
q4.7 The need to provide a legal framework that regulates the use of electronic forms and gives them legal power over the usual paper forms.
Frequency Percent Valid Percent Cumulative Percent
Valid Strongly Disagree 4 2.2 2.2 2.2
Disagree 6 3.2 3.2 5.4
Neutral 21 11.3 11.3 16.7
Agree 51 27.4 27.4 44.1
Strongly Agree 104 55.9 55.9 100.0
Total 186 100.0 100.0
q5.1 Learn the infrastructure control tools.
Frequency Percent Valid Percent Cumulative Percent
Valid 1 117 62.9 100.0 100.0
Missing System 69 37.1
Total 186 100.0
q5.2 Control virtual machines.
Frequency Percent Valid Percent Cumulative Percent
Valid 1 112 60.2 100.0 100.0
Missing System 74 39.8
Total 186 100.0
q5.3 Development of platforms.
Frequency Percent Valid Percent Cumulative Percent
Valid 1 115 61.8 100.0 100.0
Missing System 71 38.2
Total 186 100.0
q5.4 Develop the way the application is announced and provided to any provider.
Frequency Percent Valid Percent Cumulative Percent
Valid 1 136 73.1 100.0 100.0
Missing System 50 26.9
Total 186 100.0
q5.5 Encourage international companies to set up centers for cloud computing in Egypt.
Frequency Percent Valid Percent Cumulative Percent
Valid 1 147 79.0 100.0 100.0
Missing System 39 21.0
Total 186 100.0
q5.6 Development of educational studies programs.
Frequency Percent Valid Percent Cumulative Percent
Valid 1 129 69.4 100.0 100.0
Missing System 57 30.6
Total 186 100.0
q5.7 Another ( mention ).
Frequency Percent Valid Percent Cumulative Percent
Valid 1 10 5.4 100.0 100.0
Missing System 176 94.6
Total 186 100.0
‘
Descriptive Statistics
N Mean Std. Deviation C.V
q1.1 The usual method of auditing can be followed by companies that are using cloud computing. 186 3.54 .981 27.698
q1.2 Cloud computing will save a lot on Egyptian companies of different sizes (labor – time – money). 186 3.87 .860 22.223
q1.3 The role of the education government, which should extend to services that address the needs of individuals and are based on cloud computing, is important. 186 4.13 .835 20.216
q1.4 Legislation in Egypt should be considered to enact laws governing to use cloud computing. 186 4.26 .799 18.740
q 1.5 Reduction of purchase prices of equipment, changing the license system of the application where the service is made on the basis of subscription can attract more companies to use. 186 3.87 .869 22.475
q1.6 Cloud computing and the virtual environment in general have an important and effective role in the development of Green IT. 186 4.33 .762 17.578
q1.7 Helping companies in building the basic infrastructure of cloud computing by first studying their needs, then providing a road map and best practices, assuring them that the new system can save more than 50% of the cost of traditional storage. 186 4.20 .806 19.175
q1.8 Provide a cloud computing infrastructure, including the development and improvement of the communications network so that it is ready to be used and accommodate the amount of communications in one. 186 4.45 .764 17.169
q1.9There are challenges in selecting the model required for cloud adoption, whether public, private or mixed. 186 4.15 .886 21.364
q1.10 Do not rely on the place or tool (Computer – Mobil) you can enter the cloud from anywhere in the world only need to Internet service is one of the most important features of the cloud. 186 4.25 .908 21.385
Auditors agrees with The usual method of auditing can be followed by companies that are using cloud computing. but they don’t agree with Cloud computing and the virtual environment in general have an important and effective role in the development of Green IT.
Descriptive Statistics
N Mean Std. Deviation C.V
q2.1The audit report has an impact on the use of cloud computing. 186 3.73 .960 25.734
q2.2 There is insufficient evidence in the electronic cloud for the external auditor to audit the companies used and prepare the audit report. 186 3.52 .908 25.818
Descriptive Statistics
N Mean Std. Deviation C.V
q3.1There are risks of using cloud computing in Egypt. 186 4.16 1.017 24.428
q3.2 Egypt can face the potential risks of cloud computing. 184 3.08 .938 30.486
q3.3 Storage of information on cloud computing can be trusted. 186 3.31 .991 29.959
q3.4There is a possibility to move to the cloud in a simple and smooth 186 3.51 .884 25.172
q3.5 Lack of auditing standards for cloud computing leads to corporate theft and bankruptcy. 186 3.79 1.174 30.964
q3.6 Legal coverage of e-commerce transactions that are an integral part of cloud computing should be available. 186 4.41 .653 14.818
q3.7 Input flow methods must be adopted, where the files are checked before being stored by the company and that there are no viruses. 186 4.35 .772 17.752
q3.8 An additional copy of the data shall be made and kept in a safe and appropriate place in order to protect the saved information. 186 4.47 .758 16.951
q3.9 Passwords must be specified for entering and changing to log in periodically. 186 4.42 .790 17.853
q3.10 There are challenges in the service policy whether it is programming or infrastructure. 186 4.21 .897 21.306
q3.11 Information piracy is one of the most important challenges facing cloud users. 186 4.42 .836 18.905
Most of answers agrees with Lack of auditing standards for cloud computing leads to corporate theft and bankruptcy. while they disagree Legal coverage of e-commerce transactions that are an integral part of cloud computing should be available.
Descriptive Statistics
N Mean Std. Deviation C.V
q4.1 External Auditor in Egypt has sufficient qualifications to review cloud computing. 186 3.39 .982 28.942
q4.2 There is a relationship between the activities of the cloud and the skills of the external auditor. 186 3.62 .811 22.379
q4.3 The External Auditor may audit the financial statements of companies using cloud computing. 186 3.49 .820 23.474
q4.4 There are special requirements for auditing on cloud computing. 186 4.03 .746 18.517
q4.5The development of human resources in the field of cloud computing should be developed . 186 4.23 .707 16.735
q4.6 The need for new mindsets to accommodate this kind of change. 186 3.95 .911 23.080
q4.7 The need to provide a legal framework that regulates the use of electronic forms and gives them legal power over the usual paper forms. 186 4.32 .948 21.960
Survey appear that most agrees with External Auditor in Egypt has sufficient qualifications to review cloud computing while they disagrees with The development of human resources in the field of cloud computing should be developed.
Summary and conclusion
introduction
Running a successful small business usually means that you are focused on looking after your customers, growing sales and improving profitability. It also means that you are on top of your finances with upto-date, accurate information, so that you can make well-informed decisions, improve profits and manage your cash flow. Working on the cloud will give you the opportunity to reduce the amount of time you spend working on tedious, time-consuming tasks, allowing you to concentrate on what you do best: growing your business.
You can also be confident that you will have greater access to real-time data for your business ‘ no matter where you are ‘ as business information is accessible any time, any place, on any device that has internet access (much like internet banking).
This thesis examined the role and responsibility of the external auditors toward the cloud computing .IT audit helps organizations to clarify the compliance risk and security risk to their systems it can reduce cloud computing risk and cost .
Research Problem
The main problem can be represented as follows: What is the impact of cloud computing on the external auditors work? This can be summarized in the following points:
What is the methodology used by the external auditor towards the cloud computing to ensure the quality of the process?
What are the requirements needed by the external auditor in Egypt to face new risks associated with practice of cloud computing?
Is the external auditor in Egypt able to audit financial statements data’s for cloud computing process, and face its challenges in light of his current skills?
Hypotheses used
Based on the literature review; the following hypothesis are constructed and developed to cover and include all the variables in the study theoretical framework used in the thesis . the main objective for developing these hypotheses is to test in particular the empirical reality that is derived from a more general suggestion in the previous studies and literature mentioned and studied . The hypotheses derived are mentioned below:
“H” _”\0\1″ There is a relationship between cloud computing activity and current skills, knowledge and qualification of Egyptian auditors in Egypt.
“H” _”\0\2″ There are impacts of cloud computing on the audit report.
“H” _”\0\3″ There are impacts of cloud computing on the risks of the audit process in Egypt.
“H” _”\04″ Cloud computing requires sufficient qualifications for auditors in the use of new technological tools used in the field of accounting.
Results
Auditors agrees with The usual method of auditing can be followed by companies that are using cloud computing. but they don’t agree with Cloud computing and the virtual environment in general have an important and effective role in the development of Green IT. Most of answers agrees with Lack of auditing standards for cloud computing leads to corporate theft and bankruptcy. while they disagree Legal coverage of e-commerce transactions that are an integral part of cloud computing should be available. Survey appear that most agrees with External Auditor in Egypt has sufficient qualifications to review cloud computing while they disagrees with The development of human resources in the field of cloud computing should be developed.
Reference
Articles
Abd Al-kaderkalaf, O., and Ayyed., E. (2015), IT Auditing to Assure a Secure Cloud Computing for Enterprise Applications, International Journal of Engineering Research and General Science Vol. 3, Issue 1, PP.18-21
Arora P., Chaudhry R. W., Satinder E. P. A. (2012). cloud computing security issues infrastructure as a service, International Journal of Advanced Research in Computer Science and Software Engineering, Vol.2 issues 1.
Biswas S.(2011a).is cloud computing security ?yes, another perspective
Bierstaker, Jamis L., Priscilla B., and Jay t.,(2001). The impact of information technology on the audit process an assessment of the state of the art and implications for the future, Managerial Auditing Journal pp.159-169
Bisong, A., and Rahman, M. (2011). An overview of the security concerns in enterprise cloud computing. arXiv preprint arXiv:1101.5613
Brown, R. G. (1962). Changing audit objectives and techniques. The Accounting Review, vol.37 No.4, pp.696-703
Brakeville S., Perepa B.(2016). Blockchain basics: Introduction to business ledgers,
pp .1-6
Brender N., Markov I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies, Published in International journal of information management, Vol. 33, No. 5, PP. 726-733
Carroll M., Vander M. A., and Kotze D., (2011).Secure cloud computing: Benefits, risks, and controls, Annual Information Security for South Africa (ISSA) conference, South Africa
Cloud Security Alliance. (2010). Top threats to cloud computing v1.0. Retrieved from
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Cloud Security Alliance. (2011). Security guidance for critical areas of focus in cloud
computing v3.0. Retrieved from https://cloudsecurityalliance.org/research/security-
guidance
Cloude B., Eric C., Mike E., Janathan G., David H., Ryan K.,(2015). Security for cloud computing ten steps insurance success version 2.0, cloud standards customer council
Colbert, J.L. (1995).- Risk: internal and external auditors operate from two different, official definitions of risk, Internal Auditor
CPA Steve obock (2017), Audit quality assurance workshop, risk assessment and internal control KPMG Keny..
Cunningham, P. (2009, June). Three cloud computing risks to consider. Information Security Magazine. Retrieved from http://www.arma.org/press/armanews/infosecurity.pdf
Dialogic (2010). International to Cloud Computing .White Paper ,pp.3-8.
Different types of Audit opinions applied by KPMG in the Annual Report (2011)
Dhupia S., Gupta S., Khanna M.,(2013).Forensic services,KPMG.PP.3-6
Das,D.C. ,(2013).Impact of cloud computing in library services (ppt) www.kiit,ac.in/centrallibrary/pdf-plesentation/impact-of-cloud-computing-on-library-services.pdf
European Network and Information Security Agency. (2009a). An SME perspective on cloud computing: A survey. Retrieved from http://www.enisa.europa.eu/activities/risk-
management/files/deliverables/cloud-computing-sme-surve
European Network and Information Security Agency. (2009b). Cloud computing: Benefits ,risks and recommendations for information security. Retrieved from
http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-
computing-risk-assessment
Farhan B.,Sajjad H.,(2011).The international conference on internet technology and secured transactions ,UAE
Flynn C., (2015) .Cloud Taxation Issues and Impacts , Earnest and Young , PP.7-10.
Gary Moulton G., et al (2013),Standard Practices for Investigative and Forensic Accounting
Gholami, A., Laure E., (2016). Security and privacy of sensitive data in cloud computing: a survey of recent developments. PHD Thesis Stockholm, Sweden 2016
Heiser, J., and Nicolett, M. (2008). Assessing the security risks of cloud computing. Stamford, CT: Gartner Research. Retrieved from http://cloud.ctrls.in/files/assessing-the-security-risks.pdf
Hosam F.,El-Sofany,Abdulelah Al Tayeb , Khalid A., Samir A.,(2012).The impact of cloud computing technologies in E-learning
Hussien A. , Mohamed O.(2015).cloud computing and is effect on performance excellent at higher education institution in Egypt ( an analytical study ) ,European Scientific Journal ,pp.1-14
Kambil, A. (2009) .A head in the clouds, Journal of Business Strategy, Vol. 30 Issue: 4, pp.58-59.
Kamel, S. , Abouseif, M. ( 2015) . A Study of the Role and Impact of Cloud Computing on Small and Medium Size Enterprises (SMEs) in Egypt, Microsoft Corporation, DOI: 10.13140/RG.2.1.1417.1760,PP.14-19.
Kamau O.,(2012). Audit Evidence Refresher,ISACA,pp.2-3.
Kaufman L. M. (2009). Data security in the world of cloud computing .IEEE security and privacy
Kelkar S. (2015).Challenges and opportunities with Computing , International Journal of Innovative research in Computer and Communication Engineering ,Vol.3, Issue 4 , PP.2723-2724
Koparkar, P., and MacKrell, D. (2016). How Fluffy is the Cloud?: Cloud Intelligence for a Not-For-Profit. arXiv preprint arXiv:1606.00752.
Maaref, S. (2012). Cloud computing in Africa-Situation and perspectives. Telecommun. Dev. Sect.-ITU, PP.3-4.
Mangiuc, D. (2017). Accountants and the cloud’Involving the professionals. Journal of Accounting and Management Information Systems, Vol.16 No.1, pp.179-198
Mcdonough D., (2015). Cloud Computing : The non IT auditor’s guide to auditing the cloud , Deloitte .
Ministry of Communications and Information Technology (MCIT) ,(2012).National ICT Strategy 2012-2017 towards a digital society and knowledge based economy.
Mell P.,Grance T., (2011).Special Publication 800-145: the NIST Defination of cloud computing , National Institute of standard and Technology , Wachington ,DC
National Institute of Standards and Technology. (2011). Final definition of NIST cloud computing definition published. National Institute of Standards and Technology.
Nicolaou, C. A., Nicolaou, A. I., and Nicolaou, G. D. (2012). Auditing in the cloud: Challenges and opportunities. The CPA Journal,Vol. 82,No.1,PP. 66.
Omer K.,Safia A.,El-SayedM., Abdl- Badeeh M.(2014).Cryptographic Cloud Computing Environment as a More Trusted Communication Environment ,International Journal of Grid and High Performance Computing Vol.6 , Issue 2, PP.38-51.
OneStopClick. (2011). Mobile & remote working in 2011: An overview of cloud services for today’s SMEs. Retrieved from http://hosting.onestopclick.com/white-
papers/129/mobile-remote-working-in-2011-an-overview-of-cloud-services-for-
today%E2%80%99s-sme.html
Popovic, K., & Hocenski, Z. (2010). Cloud computing security issues and challenges.
Proceedings of the 33rd International Convention MIPRO, 344-349. Retrieved from
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5533317
Prakash, S. (2011, March/April). Risk management: Cloud computing considerations.
Canadian Management Accounting. Retrieved from http://www.nxtbook.com/nxtbooks/naylor/SMAS0211/index.php#/40
Pop, A., Bota-Avram, C., and Bota-Avram, F. (2008). The relationship between internal and external audit. Annales Universitatis Apulensis Series Oeconomica, Vol.1 No.10.
Phil G., (2005). Risk based auditing ,Burlington USA ,Gower publishing company.International Standard on Auditing 200,2009
P.Krubhala and K.SaravanaKumar (2013), Dynamic auditing and accounting mechanism for policy based data access in cloud.International Journal of Engineering Science and Innovative Technology (IJESIT),Vol. 2, Issue :3 ,PP.181-188
Qusay F.,(2011). Demystifying cloud computing, PP.17-19
Radu F. , Ramona F.,(2011).audit techniques and audit evidence vol.XIV issue 1/20011 , PP.350-358
Rev B., (2012). Cloud Computing Benefits risk and Recommendations for Information Security, European Network and Information Security Agent , PP.11
Scheier, R. L. (2009). What to do if your cloud provider disappears. Retrieved from
http://www.infoworld.com/d/cloud-computing/what-do-if-your-cloud-provider-
disappears-508?page=0,3
Srikumar, U. J. (2013). Cloud computing and SMEs in India-opportunities and challenges, International Journal of Current Research, volume 5, issue 8, pp. 2379-2383.
Sultan N. A., (2011).Reaching for the cloud How SMEs can manage , International Journal of Information Management
Tarmidi, M., Rasid, S. Z. A., Alrazi, B., and Roni, R. A. (2014). Cloud computing awareness and adoption among accounting practitioners in Malaysia. Procedia-Social and Behavioral Sciences, vol.164 ,pp. 569-574
Thornton J., (2017). Accounting for the Cloud , The Chartered Institute of Public Finance and Accountancy PP.19-21
Thomas P. DiNapoli,(2016).understanding audit process ,Office of the State Comptroller Division of Local Government and School Accountability
Trivedi, H. (2013). Cloud Adoption Model for Governments and Large Enterprises. Unpublished MSc Thesis, Massachusetts Institute of Technology, Massachusetts.
U-C Section 300 Planning an Audit Source,(2016). AICPA, SAS No. 122; SAS No. 128.
Wieger,W.and Cassie Meschke,C., (2011), Cloud Computing An Internal Audit Perspective,KPMG,PP.5-14
Wyslocka, E., and Jelonek, D.(2014). Accounting IT systems and requirements of Polish law, Advances in Information Science and Applications – Volume I ,pp.167-169.
Yati Nurhajati , (2016).the impact of cloud computing technology on the audit process and the audit profession , International Journal of Scientific and Technology Research,Vol.5, Issue8.
Zhang, C. (2014). Challenges and Strategies of Promoting Cloud Accounting. Management & Engineering, pp.17- 79.
‘
Books
Ahmed, R. (2016). Cloud Computing Using Oracle Application Express. Apress , chapter 1
Arens, A. A., Elder, R. J., and Mark, B. (2012). Auditing and assurance services: an integrated approach, Boston: Prentice Hall.14th edition .
Bragg, Steve M.,Wiley Practitioner’s Guide to GAAS (2010).including all SASs , SSAEs,SSARSs and Interpretations , Johan Willy and sons.
Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic press, sixth edition .
Davis C., Schiller M. , Wheeler K.(2011). IT Auditing Using Controls to Protect Information Assets, 2nd Edition (Networking & Communication ) 2nd Edition
Dobro”eanu, L.& Dobro”eanu C.L. (2002). Audit ‘ concepte si practici, abordare na”ional” ”i interna”ional”, Editura Economic”, Bucure”ti,
Flint, D. (1988). Philosophy and principles of auditing. Hampshire:
Macmillan Education Ltd.
Halpert, B. (2011). Auditing cloud computing: a security and privacy guide(Vol. 21). John Wiley & Sons .
Mason, S., & Seng, D. (2017). Electronic evidence, fourth edition
Normanton, E. L. (1966). The accountability and audit of governments: A comparative study. Manchester University Press.
Richard E. Cascarino (2007).Auditor’s Guide to information systems auditing , John wiley and sons
Sadiq, K., Coleman, C., Hanegbi, R., Hart, G., Jogarajan, S., Krever, R., … & Ting, A. (2012). Principles of taxation law 2012. Thomson Reuters. Taxable Sales of Tangible Personal Property As Applied to Various Businesses, Trades, and Occupations, chapter 13
Slaheddine M. ,(2012).cloud computing in Africa situation and perspective , telecommunication development sector.
Tommie W. Singleton, Aaron J. Singleton,(2010).Fraud Auditing and Forensic Accounting, 4th Edition
ZaighamM.,(2011).cloud computing for enterprise architecture , Richard hill
ISBN 978-977-473-181-5
Websites
www.Webopedia. com,
www. MCIT.com ,
www.liquidaccounts.com
Cameron, A.(2016).7 Startup Accounting Problems Solved With Cloud Software,patriot software https://www.patriotsoftware.com/accounting/training/blog/cloud-accounting-software-startup-problems-solved/
http://ik.ahram.org.eg/News/22606.aspx
www.cipfa.org/services/networks/finance-advisory-network/tax-advisory-service
https://www.nij.gov/topics/forensics/evidence/digital/pages/welcome.aspx
http://www.acfe.com/forensic-accountant.aspx
http://www.alborsanews.com/
http://www.seu.ac.lk/careerguidanceunit/freedownload/0000%20The%20NIST%20Definition%20of%20Cloud%20Computing.pdf.
www.gartner.com/newsroom/id/2613015
http://www.accountancystudents.co.uk.
www. theelsesite.wordpress.com
Appendix B
Helwan University
Faculty of Commerce and Business Administration
Accounting department
Questionnaire
Mr./
Mrs./
Kind greetings,,,,,
The researcher / conducts a field study as part of the thesis submitted for a master’s degree in accounting entitled: The Role and Responsibility of the External Auditor towards the cloud computing – An empirical study.
The thesis is under the supervision of:
– Prof. Dr. Ali Ahmed Mostafa Zein, Professor of Accounting and Auditing at Helwan University and Dean of the Cairo Institute of Languages, Interpretation and Management Sciences in Mokattam.
-Dr. Hanan Jaber Hassan Abbas, Associated Professor of Accounting and Auditing .
The aim of this thesis is to explore the views of those involved in cloud computing and its impact on accounting and auditing, with a focus on the role and responsibility of the auditor in this regard.
The researcher would like to thank you in advance for your cooperation with her by answering the questions in the attached survey list to reflect your views on the paragraphs that will help her complete the study properly to achieve satisfactory results achieved for the purpose of the study, and assure you that your answers will be treated as top secret and will be used only for scientific research purposes.
Best regards
PERSONAL DATA
Name: …………………… (optional)
Gender :……………………..
Name of the place of work:
E-mail :
Career status:
Financial Manager External Auditor CPA Firm University teaching staff Auditor of the Central Auditing Organization
Degrees obtained:
Ph.D. M.A. Postgraduate Diploma Bachelor of undergraduate degree
Membership of professional organizations:
International Local
Years of experience in your field:
Less than 10 years From 10 years to less than 20 years 20 years and above
The nature of the activity of the company in which you operate or audit:
Commercial Industrial Service Other
Summary of the research topic and a list of terms in the survey list:
First: Summary of the research topic:
Cloud computing is the main trend in the whole world currently, and it is not a technological fashion and if we do not talk about it at the present time and benefited from them we will fall behind the technological development witnessed by most countries of the world Computerization is a real direction will change the form of the software industry and information technology in the world, All sectors – government, health or education – will be the way of life in the future, just like the Internet.
Second : List of terms in the survey list :
Term Definition
Cloud Computing Is a technology that relies on the transfer of processing and storage space of the computer to the so-called cloud, a server is accessed through the Internet, and thus turn IT programs from products to services. Thus, this technology contributes to the removal of the problems of maintenance and development of information technology programs on the companies used for them, and therefore the focus of the efforts of the beneficiaries on the use of these services only. The cloud computing infrastructure relies on sophisticated data centers that provide large storage space for users.
Environmentally friendly information technology (Green IT) Cloud computing and the virtual environment in general play an important role in the development of Green IT. Green technology and cloud computing are closely interrelated. Cloud computing is virtual technology that reduces the number of machines and devices used and thus reflects green technology because it also helps to provide energy.
Reference
http://ar.wikipedia.org
The survey list will be divided into five sections, each section containing a set of questions related to one of the four hypotheses in the thesis body.
Each question has five choices:
Strongly Agree – Agree – Neutral – Disagree ‘ Strongly Disagree by Likert Scale. In front of the question and in the box that you have chosen kindly put (‘).
Section I:
This section contain set of questions related to the first hypothesis, which states: “There is a relationship between cloud computing activity and current skills, knowledge and qualification of Egyptian auditors in Egypt.” This group includes the following ten questions:
Strongly Disagree Disagree Neutral Agree Strongly Agree Statement
1.1 The usual method of auditing can be followed by companies that are using cloud computing.
1.2 Cloud computing will save a lot on Egyptian companies of different sizes (labor – time – money).
1.3 The role of the education government, which should extend to services that address the needs of individuals and are based on cloud computing, is important.
1.4 Legislation in Egypt should be considered to enact laws governing to use cloud computing.
1.5 Reduction of purchase prices of equipment, changing the license system of the application where the service is made on the basis of subscription can attract more companies to use.
1.6 Cloud computing and the virtual environment in general have an important and effective role in the development of Green IT.
1.7 Helping companies in building the basic infrastructure of cloud computing by first studying their needs, then providing a road map and best practices, assuring them that the new system can save more than 50% of the cost of traditional storage.
1.8 Provide a cloud computing infrastructure, including the development and improvement of the communications network so that it is ready to be used and accommodate the amount of communications in one.
1.9There are challenges in selecting the model required for cloud adoption, whether public, private or mixed.
1.10 Do not rely on the place or tool (Computer – Mobil) you can enter the cloud from anywhere in the world only need to Internet service is one of the most important features of the cloud.
Section II :
The second set of questions, which states: “There are impacts of cloud computing on the audit report.” This set includes the following two questions:
Statement Strongly Agree Agree Neutral Disagree Strongly Disagree
2.1The audit report has an impact on the use of cloud computing.
2.2 There is insufficient evidence in the electronic cloud for the external auditor to audit the companies used and prepare the audit report.
Section III :
The set of questions related to the third hypothesis, which states: “There are impacts of cloud computing on the risks of audit process in Egypt.” This group includes the following eleven questions:
Statement Strongly Agree Agree Neutral Disagree Strongly Disagree
3.1There are risks of using cloud computing in Egypt.
3.2 Egypt can face the potential risks of cloud computing.
3.3 Storage of information on cloud computing can be trusted.
3.4There is a possibility to move to the cloud in a simple and smooth
3.5 Lack of auditing standards for cloud computing leads to corporate theft and bankruptcy.
3.6 Legal coverage of e-commerce transactions that are an integral part of cloud computing should be available.
3.7 Input flow methods must be adopted, where the files are checked before being stored by the company and that there are no viruses.
3.8 An additional copy of the data shall be made and kept in a safe and appropriate place in order to protect the saved information.
3.9 Passwords must be specified for entering and changing to log in periodically.
3.10 There are challenges in the service policy whether it is programming or infrastructure.
3.11 Information piracy is one of the most important challenges facing cloud users.
Section IIII :
The fourth set of questions, which states: “Cloud computing requires sufficient qualifications for auditors in the use of new technological tools used in the field of accounting.” This group includes the following seven questions:
Statement Strongly Agree Agree Neutral Disagree Strongly Disagree
4.1 External Auditor in Egypt has sufficient qualifications to review cloud computing.
4.2 There is a relationship between the activities of the cloud and the skills of the external auditor.
4.3 The External Auditor may audit the financial statements of companies using cloud computing.
4.4 There are special requirements for auditing on cloud computing.
4.5The development of human resources in the field of cloud computing should be developed .
4.6 The need for new mindsets to accommodate this kind of change.
4.7 The need to provide a legal framework that regulates the use of electronic forms and gives them legal power over the usual paper forms.
Section IV :
Requirements for the preparation of cadres:
There are many ways to develop new mindsets that accommodate this type of change to learn new cloud control methods (multiple choice). More than one answer can be selected:
Statement kindly put mark (‘)
5.1 Learn the infrastructure control tools.
5.2 Control virtual machines.
5.3 Development of platforms.
5.4 Develop the way the application is announced and provided to any provider.
5.5 Encourage international companies to set up centers for cloud computing in Egypt.
5.6 Development of educational studies programs.
5.7 Another ( mention ).
Other notes on the survey area:
………………………………………………………………………………… ………………………………………………………………………………… …………………………………………………………………………………
Thanks
Essay: The Role and Responsibility of the External Auditor towards Cloud Computing
Essay details and download:
- Subject area(s): Information technology essays
- Reading time: 120 minutes
- Price: Free download
- Published: 27 July 2024*
- Last Modified: 27 July 2024
- File format: Text
- Words: 34,637 (approx)
- Number of pages: 139 (approx)
- Tags: Cloud Computing essays
Text preview of this essay:
This page of the essay has 34,637 words.
About this essay:
If you use part of this page in your own work, you need to provide a citation, as follows:
Essay Sauce, The Role and Responsibility of the External Auditor towards Cloud Computing. Available from:<https://www.essaysauce.com/information-technology-essays/the-role-and-responsibility-of-the-external-auditor-towards-cloud-computing/> [Accessed 19-11-24].
These Information technology essays have been submitted to us by students in order to help you with your studies.
* This essay may have been previously published on EssaySauce.com and/or Essay.uk.com at an earlier date than indicated.